b'                                                                 UNCLASSIFIED\n\n\n                                                United States Department of State\n\n                                             and the Broadcasting Board of Governors\n\n                                                    Office of Inspector General\n\nOffice of Inspector General\n\t\n\n                                                         Office of Audits\n\n\n\n                                           Evaluation of Department of State\n\n                                            Information Security Program\n\n\n                                            Report Number AUD/IT-12-14, November 2011\n\n\n\n\n                                                                 Important Notice\n\n                                This report is intended solely for the official use of the Department of State or the\n                                Broadcasting Board of Governors, or any agency or organization receiving a copy\n                                directly from the Office of Inspector General. No secondary distribution may be\n                                made, in whole or in part, outside the Department of State or the Broadcasting Board\n                                of Governors, by them or by other agencies of organizations, without prior\n                                authorization by the Inspector General. Public availability of the document will be\n                                determined by the Inspector General under the U.S. Code, 5 U.S.C. \xc2\xa7 552. Improper\n                                disclosure of this report may result in criminal, civil, or administrative penalties.\n\n\n\n                                                                UNCLASSIFIED\n\n\x0c                                                               United States Department of State\n                                                               and the Broadcasting Board of Governors\n\n                                                               Office of Inspector General\n\n                                             PREFACE\n\n        This report is being transmitted pursuant to the Inspector General Act of 1978, as\namended, and Section 209 of the Foreign Service Act of 1980, as amended. It is one ofa series\nof audit, inspection, investigative, and special reports prepared as part of the Office of Inspector\nGeneral\'s (OIG) responsibility to promote effective management, accountability, and positive\nchange in the Department of State and the Broadcasting Board of Governors.\n\n         In accordance with the Federal Information Security Management Act of2002 (FISMA),\nOIG performed a review of the Department of State Information Security Program for FY 2011 .\nTo perform this review, OIG contracted with the independent public accountant Williams, Adley\n& Company, LLP. The contract required that the independent public accountant perform its\nevaluation in accordance with guidance contained in the Government Auditing Standards, issued\nby the Comptroller General of the United States. The public accountant\'s report is included.\nThe report is based on interviews with employees and officials of relevant agencies and\ninstitutions, direct observation, and a review of applicable documents.\n\n       The independent public accountant identified areas in which improvements could be\nmade, including the risk management program, security configuration management, security\nawareness and role-based training, plans of actions and milestones, account and identity\nmanagement, user provisioning process, continuous monitoring, continuity of operations\nprogram, information systems contingency planning, oversight of contractor systems, and capital\nplanning.\n\n        OIG evaluated the nature, extent, and timing of Williams, Adley & Company\'s work;\nmonitored progress throughout the evaluation; reviewed Williams, Adley & Company\'s\nsupporting documentation; evaluated key judgments; and performed other procedures as\nappropriate. OIG concurs with Williams, Adley & Company\'s findings, and the\nrecommendations contained in the report were developed on the basis of the best knowledge\navailable and were discussed in draft form with those individuals responsible for\nimplementation. ~IG \' s analysis of management\'s response to the recommendations has been\nincorporated into the report. OIG trusts that this report will result in more effective, efficient,\nand/or economical operations.\n\n        I express my appreciation to all of the individuals who contributed to the preparation of\nthis report.\n\n\n\n                                   /f\xc2\xa3:K,~ \n\n                                       Harold W. Geisel \n\n                                       Deputy Inspector General \n\n\x0c                                            UNCLASSIFIED\n\n\n\n\n\n~,\nl !       j.\'\n      \';.11 WILLIAMS\n                  ADLEY\n\n                   Evaluation of Department of State Information Security Program\n\n\n November 7,2011\n\n\n Office of Inspector General\n U.S . Department of State\n 2201 CSt., NW\n Washington, D.C. 20520\n\n\n Williams, Adley & Company, LLP (referred to as "we" in this letter), is pleased to provide the\n Office of Inspector General (OIG) the results of the evaluation of the Department of State\n (Department) Information Security Program for FY 2011. We evaluated the Department\'s\n Information Security Program performance in compliance with the Federal Information Security\n Management Act, Office of Management and Budget (OMB), and National Institute of Standards\n and Technology regulations, standards, and requirements. Additionally, the evaluation was\n performed to provide sufficient support for OIG in providing responses to OMB in accordance\n with OMB Memorandum M-11-33, FY 2011 Reporting Instructions for the Federal Information\n Security Management Act and Agency Privacy Management, dated September 14, 2011.\n\n This evaluation, performed under Contract No. SAQMMAIOF2159, was designed to meet the\n objectives identified in Appendix A, "Objectives, Scope, and Methodology," of the report. We\n communicated the results of our review and the related findings and recommendations to the\n Department\'s management.\n\n We appreciate the cooperation provided by Department personnel during the evaluation. Should\n    have             .    or if we can be of further assistance, please contact either _\n(b) (6)\n\n\n\n\n                                    WILLIAMS, ADLEY & COMPANY-DC , LLP\n                             Certified Public Accountants / Management Consultants\n          1030 1Slh Street, NW, Suite 300W \xe2\x80\xa2 Washington , DC 20005 \xe2\x80\xa2 (202) 371-1397 \xe2\x80\xa2 Fax: (202) 371-9161\n                                              www.wllllamsadley.com\n\n\n\n\n                                            UNCLASSIFIED\n\n\x0c                                   UNCLASSIFIED\n\n\n\nAcronyms\nAD             Active Directory \n\nATO            Authority to Operate\n\t\nBEAP           Bureau Emergency Action Plan \n\nBIA            Business Impact Assessment\n\t\nBIMC           Beltsville Information Management Center \n\nCCP            COOP Communications Plan \n\nCIO            Chief Information Officer \n\nCM             Configuration Management \n\nCMS            Content Management System \n\nCNSS           Committee on National Security Systems \n\nCOCO           Contractor Owned Contractor Operated\n\t\nCOOP           Continuity of Operations Plan \n\nCP             Contingency Plan \n\nCPIC           Capital Planning and Investment Control \n\nCPM            Central Patch Management \n\nCVE\t\t          Common Vulnerability Exposure\nDepartment \t   U.S. Department of State\nDHS \t          Department of Homeland Security\nDS \t           Bureau of Diplomatic Security\nDS/EV \t        Diplomatic Security/Enterprise Vulnerability\nDS/SI/CS \t     Diplomatic Security/Security Infrastructure/Office of Computer Security\nENM \t          IRM/Enterprise Network Management\nESOC \t         Enterprise Service Operation Center\nFAM \t          Foreign Affairs Manual\nFCD \t          Federal Continuity Directive\nFIPS \t         Federal Information Processing Standards\nFISMA \t        Federal Information Security Management Act\nFTE \t          full time equivalent\nGAO \t          Government Accountability Office\nGSS \t          General Support System\nIA \t           Information Assurance\nIBWC\t\t         International Boundary and Water Commission\nIRM/ENM \t      Bureau of Information Resource Management, Enterprise Network \n\n               Management \n\nIRM/IA\t\t       Bureau of Information Resource Management, Office of Information \n\n               Assurance \n\nISCP \t         Information System Contingency Plan\nISP \t          Internet Service Provider\nISSC \t         Information Security Steering Committee\nISSO \t         Information System Security Officer\n\n\n                                   UNCLASSIFIED\n\n\x0c                              UNCLASSIFIED\n\nIT        information technology\nITAB      Information Technology Asset Baseline\nITSP      Information Technology Strategic Plan\nMSDC      Main State Data Center\nNIST      National Institute of Standards and Technology\nOEM       Office of Emergency Management\nOIG       Office of Inspector General\nOMB       Office of Management and Budget\nONE       OpenNet Everywhere\nPB        Program Board\nPIA       Privacy Impact Assessment\nPMEF      Primary Mission Essential Functions\nPOA&M     Plans of Action and Milestones\nRBAC      Role Based Access Controls\nRMF       Risk Management Framework\nSARs      Security Assessment Reports\nSMART     State Messaging and Archive Retrieval Toolset\nSP        Special Publication\nSSO       System Security Officer\nSSP       System Security Plan\nSSR       Significant Security Responsibilities\nTDS       DOS Telegram Delivery\nUPI       Unique Project Identifier\nUSEVI     United States Embassy Vienna Internet\nWEBPASS   Web Post Administrative Software Suite\nWINAD     OpenNet Windows Active Directory\n\n\n\n\n                              UNCLASSIFIED\n\n\x0c                                                 UNCLASSIFIED\n\n\n\n                                              Table of Contents\n\n\nEXECUTIVE SUMMARY ..............................................................................................1\n\xc2\xa0\nBACKGROUND ............................................................................................................6\n\xc2\xa0\nRESULTS OF REVIEW .................................................................................................7\n\xc2\xa0\nA.\t\xc2\xa0         RISK MANAGEMENT FRAMEWORK NEEDS IMPROVEMENT .....................7\n\xc2\xa0\nB.\t\xc2\xa0         SECURITY CONFIGURATION MANAGEMENT NEEDS IMPROVEMENT .....11\n\xc2\xa0\nC.\t\xc2\xa0         INFORMATION SECURITY TRAINING REQUIREMENTS WERE NOT \n\n             ENFORCED ................................................................................................13\n\xc2\xa0\nD.\t\xc2\xa0         PLANS OF ACTION AND MILESTONES ARE NOT EFFECTIVE ..................15\n\xc2\xa0\nE.\t\xc2\xa0         ACCOUNT MANAGEMENT PROCESSES IN ACTIVE DIRECTORY NEED TO \n\n             BE IMPROVED ...........................................................................................17\n\xc2\xa0\nF.\t\xc2\xa0         THE USER PROVISIONING PROCESS FOR CREATING, MODIFYING, AND \n\n             DISABLING USERS\xe2\x80\x99 ACCOUNTS REQUIRES SIGNIFICANT \n\n             IMPROVEMENT .........................................................................................19\n\xc2\xa0\nG.\t\xc2\xa0         CONTINUOUS MONITORING PROGRAM NEEDS TO BE IMPROVED .........21\n\xc2\xa0\nH.\t\xc2\xa0         THE CONTINUITY OF OPERATIONS PROGRAM \n\n             NEEDS TO BE IMPROVED..........................................................................24\n\xc2\xa0\nI.\t\xc2\xa0         INFORMATION SYSTEM CONTINGENCY PLANS \n\n             NEEDS TO BE IMPROVED .........................................................................26\n\xc2\xa0\nJ.\t\xc2\xa0         OVERSIGHT OF CONTRACTOR SYSTEMS AND EXTENSIONS NEEDS \n\n             IMPROVEMENT .........................................................................................29\n\xc2\xa0\nK.\xc2\xa0          CAPITAL PLANNING REQUIRES IMPROVEMENT .....................................31\n\xc2\xa0\nLIST OF CURRENT YEAR RECOMMENDATIONS ......................................................36\n\xc2\xa0\nAPPENDIX A. OBJECTIVES, SCOPE, AND METHODOLOGY .....................................41\n\xc2\xa0\nAPPENDIX B. FOLLOWUP OF RECOMMENDATIONS FROM THE FY 2010 FISMA\n\n       REPORT.....................................................................................................44\n\xc2\xa0\nAPPENDIX C. SYSTEMS WITH INVALID AUTHORITY TO OPERATE ......................47\n\xc2\xa0\nAPPENDIX D. SYSTEMS WITH OUTDATED SECURITY BASELINE CONTROLS .......48\n\xc2\xa0\nAPPENDIX E. VULNERABILITY ASSESSMENT .........................................................50\n\xc2\xa0\n\n\n                                                 UNCLASSIFIED\n\n\x0c                                             UNCLASSIFIED\n\n\n\nAPPENDIX F. SYSTEMS WITHOUT ANNUAL BACKUP PLAN TESTING ...................55\n\xc2\xa0\nAPPENDIX G. SERVERS WITHOUT CRITICAL PATCHES ........................................56\n\xc2\xa0\nAPPENDIX H. SUMMARY OF DEPARTMENT OF STATE\xe2\x80\x99S CONTINUOUS \n\n       MONITORING CONTROLS COMPLIANCE WITH FEDERAL GUIDANCE....57\n\xc2\xa0\nAPPENDIX I. SAMPLE SELECTION OF INFORMATION SYSTEMS LISTED IN\n\n       INFORMATION TECHNOLOGY ASSET BASELINE USED FOR FY2011\n\n       EVALUATION ............................................................................................59\n\xc2\xa0\nAPPENDIX J. DEPARTMENT OF STATE RESPONSE ..................................................61\n\xc2\xa0\n\n\n\n\n                                             UNCLASSIFIED\n\n\x0c                                            UNCLASSIFIED\n\n\n                                         Executive Summary\n\n        In accordance with the Federal Information Security Management Act of 2002 (FISMA),1\nthe Office of Inspector General (OIG) contracted with Williams, Adley & Company, LLP\n(referred to as \xe2\x80\x9cwe\xe2\x80\x9d in this report), to perform an independent evaluation of the Department of\nState (Department) information security program\xe2\x80\x99s compliance with Federal laws, regulations,\nand standards established by FISMA, the Office of Management and Budget (OMB), and the\nNational Institute of Standards and Technology (NIST). Additionally, the results are designed to\nassist OIG in providing responses to OMB Memorandum M-11-33, FY 2011 Reporting\nInstructions for the Federal Information Security Management Act and Agency Privacy\nManagement, dated September 14, 2011.\n\n       Overall, we found that the Department had implemented an information security program,\nbut we identified weaknesses that significantly impact the information security program\ncontrols. If these control weaknesses are exploited, the Department could be exposed to\nadditional security breaches. Collectively, these control weaknesses represent a significant\ndeficiency, as defined by the Office of Management and Budget M-11-33, to enterprise-wide\nsecurity including the Department\xe2\x80\x99s financial systems. The weakened security controls could\nadversely affect the confidentiality, integrity, and availability of information and information\nsystems. A further compounding factor is that the Department had not taken corrective action to\nremediate all of the control weaknesses identified in the FY2010 FISMA report. To improve the\ninformation security program and to bring the program into compliance with FISMA, OMB, and\nNIST requirements, the Department needs to address the following control weaknesses:\n\n           A. Risk Management Program\n\n               The Department\xe2\x80\x99s risk management program for information security needs\n               improvement at both the organization and the system levels. At the organizational\n               level, the Department had not implemented an effective risk management strategy, and\n               the Information Security Steering Committee (ISSC) did not meet during the fiscal\n               year. At the system level, we noted several deficiencies in the Department\xe2\x80\x99s\n               documentation in the security assessment and authorization packages. More\n               importantly, the security authorization process was not properly managed for nine of\n               30 of the Department\xe2\x80\x99s information systems, including extensions for security\n               authorizations (formerly authority to operate [ATO]) on the Department\xe2\x80\x99s primary\n               general support systems (GSS) for classified and unclassified systems. These\n               deficiencies weaken the Department\xe2\x80\x99s risk management framework and its ability to\n               assess, respond to, and monitor information security risk.\n\n           B. Security Configuration Management\n\n               Although the Chief Information Officer (CIO) is taking actions to address the prior\n               year\xe2\x80\x99s weaknesses with the configuration management controls, the configuration\n               management process continues to experience deficiencies in installing critical security\n\n\n1\n    Public Law No. 107-347, title III.\n                                                     1\n                                            UNCLASSIFIED\n\x0c                                                UNCLASSIFIED\n\n\n            patches within required timeframes and enabling mandatory security settings from the\n            Bureau of Diplomatic Security (DS) Configuration Guidelines.\n\n         C. Security Awareness and Role-Based Training\n\n            The Department needs to improve its process and procedures for general information\n            security awareness and role-based training. The Department is not tracking and\n            documenting Significant Security Responsibilities (SSR) training attendance. The\n            evaluation found that nine of 30 employees and contractors hired during FY 2011 had\n            not taken the PS800 training (general security awareness training) within 10 days after\n            being hired. Additionally, five of 30 Department information system users had not\n            taken the annual PS800 training.\n\n         D. Plans of Action and Milestones\n\n            The Department\xe2\x80\x99s Plans of Actions and Milestones (POA&M) process had not been\n            fully and effectively implemented, and the program is not compliant with FISMA and\n            OMB requirements. The Department had not implemented a POA&M process to\n            address and resolve security weaknesses identified on the ClassNet GSS. In addition,\n            the evaluation found the Department had not implemented effective corrective actions\n            to address the POA&M control weaknesses within the OpenNet GSS identified in the\n            FY 2010 FISMA report on the Department\xe2\x80\x99s information security program.\n\n         E. Account and Identity Management Program\n\n            The Department needs to improve account management processes in Active Directory2\n            (AD) for OpenNet and ClassNet. From a population of approximately 128,000\n            OpenNet Active Directory user accounts, we identified approximately 400 guest, test,\n            and temporary accounts; 9,000 accounts that had not been used (never logged on); 400\n            accounts with passwords set \xe2\x80\x9cnot to expire\xe2\x80\x9d; and 300 Install Accounts.3 Then, from a\n            population of approximately 36,000 ClassNet AD accounts, we identified\n            approximately 200 guest, test, and temporary accounts; 4,000 accounts that had not\n            been used (never logged on); 900 accounts with passwords set \xe2\x80\x9cnot to expire\xe2\x80\x9d; and 200\n            software installation accounts (Install Accounts).\n\n         F. User Provisioning Process\n\n            The Department\xe2\x80\x99s user provisioning process for creating, modifying, and disabling\n            users\xe2\x80\x99 accounts is not in compliance with the Department\xe2\x80\x99s Foreign Affairs Manual\n            (FAM). The Department did not require two of 25 ClassNet Domain Administrators\xe2\x80\x99\n            accounts to have individual user accounts, which may result in Domain\n            Administrators\xe2\x80\x99 accounts being used for non-administrator functions and susceptible to\n            cyber attacks. The Department had not removed in a timely manner 294 of 894\n\n2\n  Active Directory is a technology created by Microsoft that provides a variety of network services such as\n\t\nidentification and authentication, directory access, and other network services.\n\n3\n  Install accounts are those accounts created for Department of State personnel to install software within the different \n\ndomains (for the bureaus and offices).\n\t\n                                                            2\n                                                UNCLASSIFIED\n\x0c                                                UNCLASSIFIED\n\n            accounts for separated Full Time Equivalent employee accounts, and 104 of those\n            accounts had Department issued security tokens4 for remote access. Documentation\n            (Password/Receipt Form) had not been received for all of 25 new user accounts\n            created within the past fiscal year and documentation had not been received for all\n            seven Network Administrators\xe2\x80\x99 accounts created within the past fiscal year. The\n            Department permitted one of 25 OpenNet Domain Administrators/Administrators\xe2\x80\x99\n            accounts to be used as a group account.\n\n            These control weaknesses increase the potential that unauthorized activities can occur\n            without timely detection, which adversely impacts confidentiality, integrity, and\n            availability of the data on OpenNet and ClassNet.\n\n         G. Continuous Monitoring\n\n            The Department does not have an effective means of implementing continuous\n            monitoring at the organization level or the system level, and the Department had not\n            taken action to resolve the continuous monitoring control weaknesses identified in the\n            FY 2010 FISMA report on the Department\xe2\x80\x99s information security program. The ISSC\n            had not developed a formal continuous monitoring strategy that addresses framing\n            risk, assessing risk, responding to risk, and monitoring risk, all of which are required\n            by NIST Special Publication (SP) 800-39, Managing Information Security Risk.\n\n            Also, based on our review of the actions taken by the Department regarding\n            weaknesses identified in the FY 2010 FISMA report on the Department\xe2\x80\x99s information\n            security program, we found the following repeat deficiencies:\n\n                 \xef\x82\xb7\t The scanning tools do not assess Oracle, the Department\xe2\x80\x99s most common\n                    database management system, for configuration control weaknesses that could\n                    adversely impact application access controls.\n\n                 \xef\x82\xb7\t Scanning results for routers, firewalls, and Demilitarized Zone servers were not\n                    available in iPost;5 therefore, the results were not used in risk scoring.\n\n         H. The Continuity of Operations Program Needs to Be Improved\n\n            The Department\xe2\x80\x99s Continuity of Operations Program is not operating effectively and is\n            not documented in accordance with NIST SP 800-34 and Federal Continuity Directive\n            (FCD)-2. The Department is required by NIST to have a collection of plans to prepare\n            for response, continuity, recovery, and resumption of mission/business processes and\n            information systems.\n\n\n4\n  A token (sometimes called a security token) is an object that controls access to a digital asset. It is a small device\nused in a networked environment to create a one-time password that the owner enters into a login screen along with\na user identification and a personal identification number.\n5\n  iPost is a system that provides the ability to monitor outputs of the various network monitoring applications. It\nallows key personnel to monitor network, computer, and application resources; check for potential problems; initiate\ncorrective actions; and gather performance, compliance, and security data for near real-time and historical reporting.\n                                                            3\n                                                UNCLASSIFIED\n\x0c                               UNCLASSIFIED\n\n\n  We found that the Continuity of Operations Plan (COOP) Communication Plan (CCP)\n  for emergency communications and the network had not been updated with significant\n  changes since 2008. The COOP CCP was not updated in accordance with NIST SP\n  800-34 because the Bureau of Information Resource Management (IRM) is focused on\n  the Bureau Emergency Action Plan (BEAP) instead of the COOP CCP that contributes\n  to the continuation of communications and the network for the entire Department.\n\nI. Information Systems Contingency Planning\n\n  The Department needs to improve the information system contingency planning\n  program. An effective contingency planning program is designed to mitigate the risk\n  of system and service unavailability by providing effective and efficient solutions to\n  enhance system availability.\n\n  From a sample of 25 information system contingency plans tested, we found several\n  deficiencies. For example, three systems\xe2\x80\x99 (OpenNet, WebPass, and TDS)\n  Contingency Plans did not document the alternate recovery site information.\n\nJ. Oversight of Contractor Systems\n\n  The Department had not implemented an effective oversight program of its contractor\n  systems and contractor extensions. All five Contractor-Owned Contractor-Operated\n  (COCO) systems reviewed did not have contract agreements or security-related\n  documentation available for review. For four of five COCO systems, IRM did not\n  provide ATO memorandums after several requests.\n\n  We also found that the Department did not have an effective mechanism in place to\n  identify the total number of contractors\xe2\x80\x99 personnel who had access to and privileges\n  within the Department\xe2\x80\x99s network, applications, databases, and data.\n\nK. Capital Planning\n\n  Information security is not fully integrated into the Department\xe2\x80\x99s Capital Planning and\n  Investment Control (CPIC) process. IRM needs to strengthen its oversight process of\n  information technology (IT) investments. For four of 10 appropriated IT security\n  investments reviewed, the Department did not provide evidence of documentation\n  showing obligations and expenditures. The Department does not provide OMB with\n  all investments that have significant dependency for the IT Infrastructure major\n  investment. For a sample of 10 non-major investments that make up the IT\n  Infrastructure major investment, we found that none of the 10 were identified as\n  required by OMB in Exhibit 300.\n\n  Also, IT security costs from the Department\xe2\x80\x99s POA&Ms are not captured in the capital\n  planning process. Specifically, Department implementation of the POA&M process\n  does not reflect the unique project identifiers (UPI), which tie security correction\n  action plans into the CPIC process. The lack of integration between the POA&M\n  process and capital planning process negatively affects the funding prioritization\n                                        4\n                               UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n          among the IT investments. Ultimately, inadequate oversight increases the risk of\n          unapproved investments being funded.\n\n       Although this report contains 19 recommendations to the Department, we believe the\nmost significant security deficiencies are the findings related to risk management strategy and\nsecurity authorizations (Finding A), security configuration management (Finding B), POA&Ms\n(Finding D), and the continuous monitoring program (Finding G).\n\n       We reviewed the Department\xe2\x80\x99s remedial actions taken to address the 2010 reported\ninformation security program control weaknesses identified in the FY 2010 FISMA report\nReview of the Information Security Program at the Department of State (AUD/IT-11-07,\nNovember 2010). (The statuses of the recommendations from the FY 2010 review of the\ninformation security program are in Appendix B.) Since FY 2010, the Department has taken\nactions to improve management controls to include the following:\n\n       \xef\x82\xb7\t Updated and verified the FISMA systems inventory list to the Information\n          Technology Asset Baseline (ITAB) to ensure that all information technology (IT)\n          systems are accurately accounted for.\n\n       \xef\x82\xb7\t Defined and identified personnel who have significant security responsibilities in its\n          Information Assurance (IA) Training Plan.\n\n       \xef\x82\xb7\t Ensured that personally identifiable information (PII) data incidents are reported to\n          the U.S. Computer Emergency Response Team within the required 1-hour timeframe.\n\n       \xef\x82\xb7\t Updated its contracts to include Department of State Acquisition Regulations\n          information security language.\n\n         Management Comments. In its November 2, 2011, response to the draft report (see\nAppendix J), the Department stated that it \xe2\x80\x9cdisagrees\xe2\x80\x9d on whether continuous monitoring, as\ncurrently conducted, produces a lower risk than a traditional C&A program, and on the relative\nimportance of completeness and compliance vs. timeliness and risk-based prioritization.\xe2\x80\x9d The\nDepartment further stated, \xe2\x80\x9cHaving carefully considered these factors, the Department is\nconvinced its continuous monitoring program, which is 300 times more timely than traditional\nthree-year reauthorizations, produces significantly lower security risk [Department footnote\nstates: \xe2\x80\x9cNeither produce zero risk, and achieving zero risk in not foreseeable.\xe2\x80\x9d] on its networks.\xe2\x80\x9d\n\n        Although OIG agrees that the continuous monitoring concept, if properly implemented\nand documented, allows for more rapid identification of security weaknesses, OIG is unable to\nprovide an opinion on the effectiveness of the continuous monitoring strategy because the\nBureau of Information Resource Management (IRM) did not provide a strategy, but the concept\nof continuous monitoring is designed to provide results in a more timely fashion. The collective\nweaknesses in the information security program, including IRM\xe2\x80\x99s lack of strategies for risk\nmanagement and continuous monitoring, leave a weakness in the approach to assessing risk and\ntaking actions to correct identified vulnerabilities. Furthermore, IRM\xe2\x80\x99s approach cannot\nestablish responsibility and accountability for information systems security controls and leaves a\nvacuum between the current state of information security controls and any planned\n                                                 5\n                                        UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\nimprovements regarding the protection of the Department\xe2\x80\x99s information and information\nsystems, because the Department relies heavily on iPost results to determine the current security\nposture of information systems and to initiate corrective actions. However, IRM could not\nprovide documentation to support the strategy used or present historical or trend analysis during\nthe annual evaluation. OIG identified weaknesses that should have been addressed or corrected\nbased on the approach IRM presented verbally during the course of the FISMA evaluation. The\nidentification of account management weaknesses by OIG\xe2\x80\x99s FISMA and financial statement\nauditors, the failure to install critical patches on servers, and the increasing trend of Common\nVulnerabilities and Exposures (CVE) since 2007 indicates that the approach in place is not\naddressing information security risks in the Department\xe2\x80\x99s information and information systems.\n\n       In its response to the report\xe2\x80\x99s 19 recommendations, the Department generally agreed or\nagreed with portions of 10 recommendations, did not agree with five recommendations, and did\nnot indicate agreement or disagreement with four recommendations. Based on the response,\nOIG considers 10 recommendations resolved, pending further action, and nine recommendations\nunresolved.\n\n       Management\xe2\x80\x99s responses to the recommendations and OIG\xe2\x80\x99s analyses of the responses\nare presented after each recommendation. Also, OIG has provided additional comments to the\nDepartment\xe2\x80\x99s response in the section \xe2\x80\x9cManagement Comments and OIG Analyses.\xe2\x80\x9d\n\n                                         Background\n        FISMA recognized the importance of information security to the economic and national\nsecurity interests of the United States. FISMA requires each Federal agency to develop,\ndocument, and implement an agency-wide program to provide information security for the\ninformation systems that support the operations and assets of the agency, including information\nand information systems provided or managed by another agency, contractor, or source. FISMA\nprovides a comprehensive framework for establishing and ensuring the effectiveness of\nmanagement, operational, and technical controls over information technology (IT) that supports\nFederal operations and assets, and it provides a mechanism for improved oversight of Federal\nagency information security programs.\n\n        FISMA assigns specific responsibilities to Federal agencies, NIST, OMB, and the\nDepartment of Homeland Security (DHS) in order to strengthen information system security. In\nparticular, FISMA requires the head of each agency to implement policies and procedures to cost\neffectively reduce IT security risks to an acceptable level. To ensure the adequacy and\neffectiveness of information system controls, FISMA requires agency program officials, chief\ninformation officers, chief information security officers, senior agency officials for privacy, and\ninspectors general to conduct annual reviews of the agency\xe2\x80\x99s information security program and\nreport the results to DHS.\n\n\n\n\n                                                 6\n                                        UNCLASSIFIED\n\x0c                                              UNCLASSIFIED\n\n\n       On an annual basis, OMB provides guidance with reporting categories and questions for\nmeeting the current year\xe2\x80\x99s reporting requirements.6 OMB uses this data to assist in its oversight\nresponsibilities and to prepare its annual report to Congress on agency compliance with FISMA.\n\n                                            Results of Review\n       Overall, we found that the Department had implemented an information security program,\nbut we identified weaknesses that significantly impact the information security program\ncontrols. If these control weaknesses are exploited, the Department could be exposed to\nadditional security breaches. Collectively, these control weaknesses represent a significant\ndeficiency, as defined by the Office of Management and Budget M-11-33, to enterprise-wide\nsecurity including the Department\xe2\x80\x99s financial system. The weakened security controls could\nadversely affect the confidentiality, integrity, and availability of information and information\nsystems. A further compounding factor is that the Department had not taken corrective action to\nremediate all of the control weaknesses identified in the FY2010 FISMA report. To improve the\ninformation security program and to bring the program into compliance with FISMA, OMB, and\nNIST requirements, the Department needs to address the following control weaknesses:\n\nA. Risk Management Framework Needs Improvement\n        The Department needs to improve its risk management program for information security\nat both the organization and the system levels. We found that the Department had not taken\nadequate remedial actions to resolve control weaknesses reported in the FY 2010 OIG FISMA\nreport and that the Department continues to experience control deficiencies at both the\norganizational and information systems levels of the Risk Management Framework (RMF). The\nRMF is important because NIST SP 800-377 requires an organizational perspective with the\ndevelopment of a comprehensive governance structure and organization-wide risk management\nstrategy, instead of sole reliance on security authorizations at the system level.\n\n        At the organizational level, the Department had not implemented an effective risk\nmanagement strategy addressing how it intends to assess, respond to, and monitor information\nsecurity risk as required by NIST 800-39.8 As of June 30, 2011, the ISSC,9 a key component of\nthe Department\xe2\x80\x99s cyber security governance structure, had not met during FY 2011. The\ncommittee chose to meet only during emergency events and not regularly, as specified in its\ncharter. Key members of the ISSC consist of the Chief Information Security Officer, the Senior\nCoordinator for Security Infrastructure; Co-Executive Secretaries from the Office Information\nResource Management/Information Assurance/Policy Liaison and Reporting (IRM/IA/PLR) and\n6\n  OMB Memorandum M-11-33, FY 2011 Reporting Instructions for the Federal Information Security Management\n\nAct and Agency Privacy Management, dated Sept.14, 2011.\n\t\n7\n  NIST SP 800-37, rev. 1, Guide for Applying the Risk Management Framework to Federal Information Systems, \n\nFeb. 2010. \n\n8\n  NIST SP 800-39, Managing Information Security Risk: Organization, Mission, and Information System View, \n\nMarch 2011. \n\n9\n  According to the ISSC charter, members will meet on a monthly basis; more or less frequent meetings may be \n\nscheduled at the request of any member, given a majority agreement of the ISSC. Among its responsibilities, the \n\nISSC shall: (a) Develop priorities and determine availability of resources for security of Department information\n\t\nsystems; (b) coordinate strategic direction of the Department\xe2\x80\x99s information security efforts; and (c) support \n\nDepartment funding and budget mechanisms as they relate to information security.\n\t\n                                                          7\n                                              UNCLASSIFIED\n\x0c                                               UNCLASSIFIED\n\n\nDiplomatic Security/Security Infrastructure/Office of Computer Security (DS/SI/CS), and\npermanent bureau members. Further, because the risk management strategy had not been fully\nimplemented at the organizational level, communication of operations at the system level is\nnegatively affected, along with business decisions such as funding allocation, because\nmanagement is not fully aware of security vulnerabilities that exist.\n\n       At the information system level, we found deficiencies in the Security Assessment and\nAuthorization documentation (formerly Certification & Accreditation) as follows:\n\n       1.\t\t For the authorities to operate (ATO), which provide proof that an authorizing official has\n            accepted the identified risk, we found that nine of 30 systems (see Appendix I) tested did\n            not have a full security assessment and authorization performed. The most notable\n            examples identified were that the designated approving authority provided only\n            memorandums granting extensions of ATOs for OpenNet and ClassNet general support\n            systems (GSS) rather than completing a full security assessment and authorization.\n            Because the OpenNet system did not have a legitimate ATO for the unclassified systems,\n            we requested the ClassNet ATO for the classified systems. OMB10 requires agencies to\n            conduct ongoing authorizations of information systems through the implementation of\n            continuous monitoring programs. However, we found control deficiencies in the\n            Department\xe2\x80\x99s continuous monitoring program (see Finding G - Continuous Monitoring\n            Program Needs To Be Improved). The nine systems, in addition to ClassNet, where the\n            ATOs were not valid, not available or outdated, are presented in Appendix C.\n\n       2.\t\t For thirty System Security Plans (SSP) tested, which document the security controls for\n            the system, we found the following:\n\n           \xef\x82\xb7\t The security baseline controls for 24 systems had not been updated to \n\n              comply with NIST SP 800-53 Revision 3,11 (see Appendix D). \n\n           \xef\x82\xb7\t Four systems\xe2\x80\x99 SSPs (OpenNet Transport, OpenNet Windows Active\n              Directory [WINAD], Extranet, and the United States Embassy Vienna\n              Internet [USEVI]) had not been updated within 3 years or updated because\n              of a major change, as required by OMB Circular A-130 Appendix III and\n              NIST SP 800-37.\n\n       3.\t\t For thirty Security Assessment Reports (SAR) supporting the independent assessor\xe2\x80\x99s\n            evaluation of management, operational, and technical controls, we found the following:\n\n           \xef\x82\xb7\t For five systems (OpenNet, Windows Active Directory [WINAD],\n              Extranet, USEVI, and the Web Post Administrative Application Software\n              Suite [WebPASS]), the SAR either was not available or was outdated.\n           \xef\x82\xb7\t Two systems (WebPASS and State Messaging and Archiving Retrieval\n              Tool \xe2\x80\x93 Classified [SMART-C]) did not have an annual assessment of\n              security controls performed as part of their continuous monitoring of annual\n              controls.\n\n10\n     OMB Memorandum M-11-33.\n\t\n11\n     NIST SP 800-53, rev.3, Recommended Security Controls for Information Systems, Aug. 2009. \n\n                                                       8\n                                               UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\n        The Department did not properly follow NIST SP 800-37 guidelines for properly\nmanaging the documentation included in the security assessment and authorization packages.\nBureau of Information Resource Management, Office of Information Assurance (IRM/IA),\nofficials stated that they were aware that the contents were sometimes outdated or were\nunavailable but explained that the USEVI Web site has a foreign IP address that does not belong\nto the Department. The officials acknowledged, however, that OIG had informed them that\nUSEVI needs to be included in their system inventory.\n\n       At the system level, not performing the security assessment and authorization for\nOpenNet and ClassNet is a vulnerability that not only could eventually lead to a threat for these\nsystems but also for all other GSSs and major applications that are dependent on common\ncontrols from ClassNet and OpenNet.\n\n       Recommendation 1. We recommend that the Information Security Steering Committee\n       (ISSC) meet on a monthly basis to fulfill its purpose and responsibilities as required in\n       ISSC charter.\n\n       Management Response: The Department did not agree with this recommendation,\n       stating that the lack of meetings does not pose a material risk to Department security.\n       The Department further stated: \xe2\x80\x9cMoreover, there is no requirement that this voluntarily\n       created internal group [ISSC] meet with recurring frequency. The Department exercised\n       its valid authority [OMB Memorandum 11-33] to conclude there was no need to meet . . .\n       The ISSC chairpersons will survey the ISSC membership on reasons to meet, and\n       conduct meetings accordingly.\xe2\x80\x9d\n\n       OIG Analysis: OIG considers this recommendation unresolved. The Department\xe2\x80\x99s\n       ISSC charter states that the committee will meet on a monthly basis. Further, OIG is of\n       the opinion that the ISSC should meet on a more frequent basis to mitigate organizational\n       vulnerabilities, as the cyber threat environment to the Department is dynamic. This\n       recommendation can be resolved when the Department agrees to have the ISCC meet\n       monthly to fulfill its purpose and responsibilities, as required in the ISSC charter.\n\n       Recommendation 2. We recommend that the Information Security Steering Committee\n       improve its risk management strategy at the organizational level for assessing, responding\n       to, and monitoring information security risk as required in the Foreign Affairs Manual\n       and the National Institute of Standards and Technology Special Publication 800-39.\n\n       Management Response: The Department stated that it \xe2\x80\x9cagree[d] that some increased\n       level of documentation in this area could be beneficial\xe2\x80\x9d but noted that under OMB\n       Memorandum M-11-33, \xe2\x80\x9cit is the Department\xe2\x80\x99s judgment that shall decide how much\n       documentation is needed to reduce risk.\xe2\x80\x9d The Department further stated that its\n       \xe2\x80\x9cDesignated Authorizing Authority . . . will determine the level of documentation\n       adequate to manage risk.\xe2\x80\x9d\n\n       OIG Analysis: OIG considers this recommendation resolved. The recommendation can\n       be closed when OIG reviews and accepts documentation showing that the Department\n       has implemented a risk management strategy at the organizational level showing how the\n                                                9\n                                        UNCLASSIFIED\n\x0c                               UNCLASSIFIED\n\n\nDepartment\xe2\x80\x99s risk management strategy addresses how the Department will assess,\nrespond to, and monitor information security risk.\n\nRecommendation 3. We recommend that the Chief Information Officer:\n\xef\x82\xb7\t Improve oversight of the security assessment and authorization process for\n   the Department\xe2\x80\x99s information systems, especially the OpenNet General\n   Support System (GSS) and ClassNet GSS as required by the National\n   Institute of Standards and Technology (NIST) Special Publication (SP)\n   800-37.\n\xef\x82\xb7\t Improve existing procedures to ensure security authorization packages are\n   updated every 3 years or when a significant change occurs or develop a\n   risk-based approach for implementing a continuous monitoring strategy as\n   required by NIST SP 800-37.\n\xef\x82\xb7\t Improve existing procedures to ensure Systems Security Plans and Systems\n   Assessment Reports are updated as required to comply with the security\n   baseline controls contained in NIST SP 800-53 (Revision 3).\n\xef\x82\xb7\t Perform annual security assessments of a subset of a system\xe2\x80\x99s security\n   controls as required by NIST SP 800-37.\n\nManagement Response: The Department did not agree with the recommendation,\nstating that based on OMB Memorandum M-11-33, security reauthorizations are not\nrequired every 3 years but through \xe2\x80\x9congoing authorizations\xe2\x80\x9d via implementation of a\ncontinuous monitoring program. The Department also did not agree that security\nassessments and authorizations had to be improved, stating that NIST SP 800-53\nguidance \xe2\x80\x9cwas not fully implemented until June 2010.\xe2\x80\x9d The Department also stated that a\n\xe2\x80\x9cnew NIST 800-53A was needed to implement the new 800-53, and was not published\nuntil June 2010.\xe2\x80\x9d Therefore, according to the Department, \xe2\x80\x9ccompliance was not required\nfor C&As starting before June 2011\xe2\x80\x9d but, as of June 2011, the Department \xe2\x80\x9cwill comply\nwith the new version of NIST 800-53/53A.\xe2\x80\x9d The Department further stated that its C&A\nToolkit \xe2\x80\x9chas been fully updated to implement this change\xe2\x80\x9d and that it \xe2\x80\x9cperforms such\nannual testing on all its systems, except in rare cases that are vigorously pursued.\xe2\x80\x9d\n\nOIG Analysis: OIG considers this recommendation unresolved. The evaluation of the\nDepartment\xe2\x80\x99s continuous monitoring program determined that several control\ndeficiencies were identified (see Appendix H), therefore weakening the reliance on the\ncontinuous monitoring program. NIST SP 800-53, Revision 3, guidance was issued in\nAugust 2009, and OMB Memorandum M-11-33 states that \xe2\x80\x9cagencies are expected to be\nin compliance with NIST standards and guidelines within one year of the publication date\nunless otherwise directed by OMB.\xe2\x80\x9d Although the Department stated that it had\nperformed annual security assessments on all of its controls, testing results showed that\nthe Department was not testing all of the security controls and could not support the\ncontrol baselines necessary to define the testing level. This recommendation can be\nconsidered resolved when OIG reviews and accepts documentation showing that the\nDepartment has agreed to address these risk management recommendations and the\nactions it will take to address these actions.\n\n                                       10\n                               UNCLASSIFIED\n\x0c                                            UNCLASSIFIED\n\n\n\nB. Security Configuration Management Needs Improvement\n         In FY 2011, we inquired about the progress of the Central Patch Management (CPM)\nproject and the Initiative for End-to-End Configuration Management (CM) identified in the FY\n2010 FISMA report on the Department\xe2\x80\x99s information security program. According to\nIRM/Operations/Enterprise Network Management (IRM/OPS/ENM) officials, the CPM project\nis in the deployment phase. Although the CIO is taking actions to address the prior year\xe2\x80\x99s\nweaknesses with the CM controls and IRM/OPS/ENM has set a patch installation benchmark\nrate of 100 percent, which is in accordance with the FAM,12 we found the following deficiencies:\n\n       \xef\x82\xb7\t Critical security patches were not installed within the required timeframes. From a\n          sample of 25 Windows servers, we found that 17 servers did not have critical patches\n          installed. (Details of missing critical patches are in Appendix G.)\n\n       \xef\x82\xb7\t   All mandatory security settings were not reported by iPost. The scan results are\n            submitted to IRM/IA to upload to iPost. Based on our comparison of a sample of 25\n            mandatory security settings from the DS Configuration Guidelines (Windows 2003 and\n            2008) and the McAfee Foundstone Benchmarks, which are run by the Bureau of\n            Diplomatic Security, Security Infrastructure Directorate, Office of Computer Security,\n            Enterprise Vulnerability Scanning (DS/SI/CS/EV) Branch, we found that the following\n            settings were not enabled during the vulnerability scans:\n\n              o\t Security Options: Network Access: Restrict anonymous access to named pipes\n                 and shares.\n\n              o\t Securing System Services: DFS Replication.\n\n              o\t Restricting Access to Windows Server 2003 System Folders.\n\n              o\t Windows (2008) Update Services: PKI Interoperability.\n\n       \xef\x82\xb7\t We performed a vulnerability analysis and identified 8,520 high risk deficiencies. Some\n          of the deficiencies identified are as follows (the vulnerability analysis is in Appendix E):\n\n              o\t Systems, operating systems, and applications with critical system and security\n                 patches that had not been applied by the Department.\n\n              o\t Systems that did not meet the standards set forth in the DS System Configuration\n                 Policy and Procedures.\n\n              o\t Systems that allowed access to system resources via anonymous logins and\n                 passwords, default credentials, and unsecured access points.\n\n       Responsibility for the implementation of CM controls for the systems, operating systems,\ndatabases, and network is distributed among the various system owners, database administrators,\nand network administrators without sufficient centralized governance controls to oversee\n\n12\n     5 FAM 1067.3(b)(1), \xe2\x80\x9cPatch Management Compliance Program.\xe2\x80\x9d\n                                                     11\n                                            UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\nperformance. For example, the Information System Security Officers (ISSO) have not\nestablished and implemented a reporting process to verify that the responsible groups have\nimplemented the security configuration patches and software updates identified by DS and IRM.\nAlthough system owners are responsible for the systems\xe2\x80\x99 operations and compliance, DS and\nIRM did not establish reporting procedures to obtain, between each other, assurance that patches\nwere actually installed. To correct these weaknesses, IRM/OPS/ENM is implementing the end-\nto-end CM initiative, which includes a standard operating environment to support development\nof effective CM plans for the computing environments commonly used throughout the\nDepartment.\n\n        Without effective configuration management controls, the Department increases the risks\nthat Department-sensitive data, systems, and hardware may be exposed to loss of integrity and\nconfidentiality. Additionally, the Department increases the risks that known security weaknesses\nwill be exploited by individuals to perform unauthorized activities. The Department\xe2\x80\x99s\ndecentralized patch management and CM processes and procedures do not ensure that all system\nand operating system security residing on the network will be properly patched to reduce the\nsecurity exposure to other Department bureaus and system owners in a timely manner.\n\n       Recommendation 4. We recommend that the Chief Information Officer expedite the\n       Information Resource Management, Operations, Enterprise Network Management and\n       Diplomatic Security, Security Infrastructure, Office of Computer Security process to\n       finalize and implement the elements within the Cyber Security Architecture draft target\n       architecture and initiatives for end-to\xe2\x80\x93end configuration management and take immediate\n       action to correct or mitigate the high risk vulnerabilities identified by the vulnerability\n       scanning as required by the Foreign Affairs Manual and Diplomatic Security System\n       Configuration Policy and Procedures.\n\n       Management Response: The Department stated the following:\n\n          In general, the OIG is using a criterion focused upon completeness, and\n          overlooking timeliness. This is a \xe2\x80\x9ccompliance-based\xe2\x80\x9d approach not consistent\n          with FY2011 FISMA reporting instructions that require both the Department\n          and OIG to assess risk and make judgments of how to best achieve security.\n\n          More specifically, the OIG asserts the Department is not checking 100% of\n          configuration settings within the \xe2\x80\x9crequired\xe2\x80\x9d three-year timeframe. Utilizing a\n          risk-based approach, the Department is applying the analysis conducted by\n          MIT Lincoln Labs examining the tradeoff between completeness and\n          timeliness of testing. This study shows the following two conditions have\n          approximately equal risk [Chart in Department response: \xe2\x80\x9c100% completeness\n          every year =17% completeness every two months\xe2\x80\x9d].\n\n          Because the Department checks nearly 90% of configuration settings every\n          three days, the Department\xe2\x80\x99s risk is significantly lower than the traditional\n          C&A requirement (100% completeness every three years). In this case,\n          evidence shows timeliness trumps completeness in lowering risk.\n\n                                                12\n                                       UNCLASSIFIED\n\x0c                                                 UNCLASSIFIED\n\n               The Department examined each of the three OIG findings and determined the\n               findings do not reflect a material increase of risk for reasons documented\n               elsewhere [Footnote in Department response: \xe2\x80\x9cAvailable for auditor\n               inspection.\xe2\x80\x9d]. The Department will continue to assess risk in these areas, and\n               if a material risk to the security of the Department is found, the Department\n               will take appropriate steps.\n\n           OIG Analysis: OIG considers this recommendation unresolved. During the analysis of\n           vulnerability scan results analysis, the evaluation determined that a total of 15,288\n           critical, high, medium, and low patches have not been applied for 16 general support\n           systems/major applications. Further, there were critical patches that were 7 years\n           overdue. For the 16 systems tested, the vulnerability scan results analyses displayed a\n           rising trend of non-remediation of Common Vulnerabilities Exposures (CVE) since 2007,\n           with some being identified as early as 1999. Thus there are vulnerabilities that have not\n           been remediated and that can possibly threaten the security posture of the network\n           infrastructure. (See Appendix E, \xe2\x80\x9cVulnerability Assessments,\xe2\x80\x9d Table 4, \xe2\x80\x9cTotal Number\n           of Vulnerabilities by CVE and Year.\xe2\x80\x9d) This recommendation can be resolved, when the\n           Department agrees to finalize and implement the elements within the Cyber Security\n           Architecture draft target architecture and initiatives for end-to\xe2\x80\x93end configuration\n           management and take immediate action to correct or mitigate the high risk vulnerabilities\n           identified by the vulnerability scanning.\n\nC. Information Security Training Requirements Were Not Enforced\n\n        The Department\xe2\x80\x99s security training program needs to improve processes and procedures\nwithin the general information security awareness and role-based training. OMB13 mandates\nagencies provide periodic computer security awareness to all users as well as specialized training\nfor individuals who have significant security responsibilities. Training ensures that all users are\nknowledgeable of the rules of the system. In the FY 2010 FISMA report, OIG reported that the\nDepartment did not identify employees with significant security responsibilities (SSR).\n\n         The FY 2011 evaluation found that the Department had established controls to identify\nSSR positions and required role-based training in the IA Training Plan; however, the Department\nis not tracking and documenting SSR training attendance. From a sample of 25 full-time-\nequivalent (FTE) employees with SSRs, we found 20 employees had not completed role-based\ntraining within the past 3 years.\n\n           We\xc2\xa0also\xc2\xa0found\xc2\xa0the following control deficiencies:\n\n       \xef\x82\xb7\t From a sample of 25 newly hired personnel (contractor, FTE, and locally employed\n          staff), we identified nine users who had not completed the initial PS80014 training within\n          10 days of gaining access to the system. The IA Training Plan requires first-time users to\n          complete the course within 2 weeks of being granted access to the system.\n\n\n13\n     OMB Circular A-130, revised app. III, \xe2\x80\x9cSecurity of Federal Automated Information Resources.\xe2\x80\x9d\n14\n     The PS800 online user awareness training is required for all network users, domestic and abroad.\n                                                           13\n                                                 UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\n\n   \xef\x82\xb7\t From a sample of 25 personnel (contractor, FTE employees, and locally employed staff),\n      five users had not taken the annual PS800 refresher training.\n\n        The control deficiencies with the new user and annual refresher PS800 training occurred\nbecause the Department had not implemented new automated methods to suspend the\nemployees\xe2\x80\x99 access to the networks for those employees who have not completed the PS800\ntraining. Currently, the Department relies on ISSOs to set expiration dates on user accounts,\nwhich are contingent on the completion of the PS800 training. As a result, all employees (users\nand non-users) need to be properly trained on how to protect classified information. Employees\nwho are not properly trained create a risk for the Department because they may cause\nvulnerabilities or security breaches. \xc2\xa0\n\n       Recommendation 5. We recommend that the Chief Information Officer and\n       the Bureau of Diplomatic Security ensure, for significant security responsibility\n       (SSR) training, that personnel designated as having SSR responsibilities receive\n       the appropriate training as required by the Information Assurance Training\n       Plan.\n\n       Management\xe2\x80\x99s Response: The Department stated that it \xe2\x80\x9cagrees with this\n       recommendation\xe2\x80\x9d and that it \xe2\x80\x9cwill develop a method of tracking of who needs and who\n       has received role-based training; comparable to what is available for awareness training\n       (including risk scoring in iPost).\xe2\x80\x9d\n\n       OIG Analysis: OIG considers the recommendation resolved. This recommendation can\n       be closed when OIG reviews and accepts documentation showing that the Department\n       has developed a method for tracking individuals who have received role-based training.\n\n       Recommendation 6. We recommend that the Chief Information Officer implement, for\n       Security Awareness Training, automated methods to replace the current manual process\n       to track and enforce the Department of State security awareness policy and to suspend a\n       user\xe2\x80\x99s access to the network if the user has not taken the Cyber Security Awareness\n       course within the required timeframe as required by the Information Assurance Training\n       Plan.\n\n       Management Response: The Department did not indicate concurrence or\n       nonconcurrence with this recommendation. It stated that it will \xe2\x80\x9cconduct a complete\n       assessment of compliance in this area and take appropriate action if a material level of\n       non-compliance is indicated.\xe2\x80\x9d\n\n       Regarding the Cyber Security Awareness course (PS-800), the Department stated that a\n       preliminary study of compliance with annual completion of the course shows that \xe2\x80\x9cnearly\n       100% of those who require training receive training within 30 days of the due date\xe2\x80\x9d and\n       that it \xe2\x80\x9cdoes not consider this level of non-compliance to be a material risk to the security\n       of the Department.\xe2\x80\x9d The Department further stated that this is \xe2\x80\x9cespecially true,\n       considering there are several other sources of awareness training including the daily\n       awareness program at login, as well as weekly and quarterly sources.\xe2\x80\x9d Regarding OIG\xe2\x80\x99s\n       \xe2\x80\x9cproposal to automatically suspend account access (without human intervention),\xe2\x80\x9d the\n                                                14\n                                        UNCLASSIFIED\n\x0c                                           UNCLASSIFIED\n\n\n        Department stated that this proposal \xe2\x80\x9chas a high risk of creating serious denial-of-service\n        issues and as such, itself poses risks to the security of the Department.\xe2\x80\x9d\n\n        OIG Analysis: OIG considers this recommendation unresolved. The testing that was\n        performed during the evaluation was a control-based test of the IA Training Plan, which\n        states, \xe2\x80\x9cFirst time users must complete the course within 2 weeks of being granted access\n        to the system. Thereafter, annual refresher training is required. Users should take the\n        course within ten working days of the expiration of the course completion certificate\n        received the previous year.\xe2\x80\x9d This recommendation can be resolved when the Department\n        agrees to follow its internal procedures or change its procedures to train first-time users.\n\nD. Plans of Action and Milestones Are Not Effective\n        The Department\xe2\x80\x99s Plans of Action and Milestones (POA&M) process is not fully and\neffectively implemented, and the program is not compliant with FISMA and OMB requirements.\nThe POA&M is used to assist agencies in identifying, assessing, prioritizing, and monitoring the\nprogress of corrective actions for security weaknesses found in programs and systems.\n\n        The Department had not implemented a POA&M process to address and resolve security\nweaknesses identified on ClassNet GSS. For example, ClassNet security weaknesses identified\nfrom contingency plan test results, recommendations from external auditors, and annual tests and\naudits of security controls are not tracked in the enterprise POA&M database, as required by\nOMB15 and the Committee on National Security Systems (CNSS).16 The Department did not\nproperly follow OMB and CNSS mandated guidance for the ClassNet GSS to address all\nweaknesses identified by program reviews and evaluations. Not addressing security weakness\nfor national security systems is a vulnerability that threatens Department assets and the nation.\n\n        In addition, we found that the Department had not implemented corrective actions to\naddress the POA&M control weaknesses within the OpenNet GSS identified in OIG\xe2\x80\x99s FY 2010\nFISMA report. Specifically, the Department\xe2\x80\x99s POA&M process and program had the following\ncontrol deficiencies:\n\n        \xef\x82\xb7\t It did not consistently record essential resources to remediate and resolve security\n           weaknesses. According to OMB,17 POA&Ms should include the estimated funding\n           resources required to resolve the weakness as well as the anticipated source of\n           funding.\n\n        \xef\x82\xb7\t It did not accurately and timely update remediation schedules to reflect actual system\n           owners and others\xe2\x80\x99 performance to resolve or mitigate control weaknesses. NIST SP\n\n\n\n\n15\n   OMB Memorandum M-04-25, FY 2004 Reporting Instructions for the Federal Information Security Management\n\nAct. \n\n16\n   CNSS Policy No. 22, \xe2\x80\x9cInformation Assurance Risk Management Policy for National Security Systems.\xe2\x80\x9d (Feb. \n\n2009) \n\n17\n   OMB Memorandum M-04-25. \n\n                                                     15\n                                           UNCLASSIFIED\n\x0c                                           UNCLASSIFIED\n\n              800-3718 states that the organization is required to update the plans of action and\n              milestones on an ongoing basis.\n\n        The deficiencies within the POA&M process occurred because the Department had not\ndeveloped criteria to prioritize the importance of security weaknesses from both an enterprise\nand bureau basis. Currently, the Department permits each bureau to prioritize risks within its\nrespective environment and to budget accordingly without consideration of the risk and exposure\nto the Department as a whole. If the Department does not appropriately prioritize corrective\nactions on an enterprise basis, the most important actions (highest security risks) may not receive\nthe required resources for remediation, thereby exposing the Department\xe2\x80\x99s sensitive data,\nsystems, and hardware to unauthorized access and activities.\n\n        Currently, IRM/IA issues a quarterly POA&M Grading Memorandum process; however,\nthis memorandum is distributed to the bureaus\xe2\x80\x99 or offices\xe2\x80\x99 ISSOs and not to senior management.\nWithout the proper review and maintenance of POA&Ms, IT management may not be aware of\nthe status of remediation. Furthermore, the inadequacy of the POA&M process adversely effects\nthe capital planning process.\n\n           Recommendation 7. We recommend that the Chief Information Officer:\n\n           \xef\x82\xb7\t Implement a Plans of Action and Milestones (POA&M) tracking process\n              for all ClassNet security weaknesses as required by Committee on National\n              Security Systems Policy Number 22, Information Assurance Risk\n              Management Policy for National Security Systems.\n           \xef\x82\xb7\t Distribute the quarterly POA&M Grade Memorandums to the bureaus\xe2\x80\x99 and\n              offices\xe2\x80\x99 senior management (executive director) as required by M-04-25,\n              FY 2004 Reporting Instructions for the Federal Information Security\n              Management Act.\n           \xef\x82\xb7\t Ensure that the POA&M completion dates and the required resources for\n              OpenNet corrective actions are updated as required by OMB Memorandum\n              M-04-25.\n\n           Management Response: The Department stated that it \xe2\x80\x9cconcludes that the problems\n           identified are not material (or are now being addressed) for the following reasons:\n\n              \xef\x82\xb7   The Department has a compliant process for tracking POA&M items on\n                  ClassNet.\n              \xef\x82\xb7   The Department has started distributing quarterly grades (effective Q1-\n                  FY2012) to executive officers, as recommended.\n              \xef\x82\xb7   Quarterly updates to POA&M data are not warranted, unless there has been a\n                  change of status. The grading covered under the prior bullet addresses this issue.\xe2\x80\x9d\n\n           The Department also stated that the iPost system \xe2\x80\x9cperforms many of the functions of a\n           POA&M system at a level of timeliness and detail that the traditional POA&M approach\n           cannot achieve. Given the MIT Lincoln Labs findings on the trade-off between\n\n18\n     NIST SP 800-37.\n                                                   16\n                                           UNCLASSIFIED\n\x0c                                               UNCLASSIFIED\n\n\n        completeness and timeliness discussed previously, the Department concludes that\n        deficiencies in the traditional POA&M system are not a material risk to the security of\n        the Department, given iPost as a compensating control.\n\n        OIG Analysis: OIG considers this recommendation unresolved. The Department did\n        not provide evidence during the evaluation that the POA&M process was all inclusive.\n        The Department POA&M process on ClassNet does not include identified security\n        vulnerabilities during security testing, OIG audits, or other assessments. Therefore, this\n        process fails to track Department actions to remediate identified weaknesses.\n        Additionally weaknesses that are identified in the scanning results are not added to the\n        POA&M tracking. Although the Department stated that it had started distributing the\n        quarterly memorandums, it did not take this action within the time period of the FISMA\n        evaluation. The Department stated that iPost has replaced the traditional POA&M\n        process. The independent public accountant determined, based on the issues noted with\n        iPost (detailed in section G), that the system is not mature enough to compensate for the\n        POA&M process. This recommendation can be resolved when the Department can\n        document that the POA&M process includes the required elements for tracking, that the\n        POA&M process accounts for weaknesses identified by all sources (scans, assessments,\n        and OIG findings), and corrective actions are taken in the accordance with NIST and\n        OMB requirements.\n\nE. Account Management Processes in Active Directory Need To Be Improved\n       The Department needs to improve account management processes in Active Directory\n(AD) for OpenNet and ClassNet. In FY 2010, OIG reported deficiencies in account\nmanagement, and we found that account management deficiencies still existed within AD for\nOpenNet and ClassNet.\n\n        From a population of approximately128,000 OpenNet AD users\xe2\x80\x99 accounts, we identified\nthe following deficiencies:\n\n        \xef\x82\xb7\t Approximately 400 guest, test, and temporary accounts were in the AD\n           accounts. The FAM19 states, \xe2\x80\x9cThe data center manager and the system\n           manager may not maintain permanent user IDs and passwords on AISs for\n           visitors, vendor service personnel, training, demonstrations, or other\n           purposes.\xe2\x80\x9d\n\n        \xef\x82\xb7\t Approximately 9,000 accounts have not been used (never logged on). The\n           FAM20 requires user privileges to be reviewed annually to verify that\n           privileges are still appropriate.\n\n        \xef\x82\xb7\t Approximately 400 accounts with passwords set not to expire. The FAM21\n           requires passwords to be changed at least every 60 days.\n\n19\n   12 FAM 622.1-3(b), \xe2\x80\x9cPassword Controls.\xe2\x80\x9d \n\n20\n   12 FAM 622.1-3(i).\n\t\n21\n   12 FAM 622.1-3(j).\n\t\n                                                    17\n                                               UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n\n        \xef\x82\xb7\t Approximately 300 Install Accounts were within AD accounts. The FAM22\n           requires the removal of non-permanent (that is, visitor and training) user\n           accounts and passwords.\n\n       From a population of approximately 36,000 ClassNet AD accounts, we identified the\nfollowing discrepancies:\n\n        \xef\x82\xb7\t Approximately 200 guest, test, and temporary accounts were in the AD\n           accounts. The FAM23 states, \xe2\x80\x9cThe data center manager and the system\n           manager may not maintain permanent user IDs and passwords on AISs for\n           visitors, vendor service personnel, training, demonstrations, or other\n           purposes.\xe2\x80\x9d\n\n        \xef\x82\xb7\t Approximately 4,000 accounts have not been used (never logged on). The\n           FAM24 requires user privileges to be reviewed annually to verify that\n           privileges are still appropriate.\n\n        \xef\x82\xb7\t Approximately 900 accounts with passwords set not to expire. The FAM25\n           requires passwords to be changed at least every 60 days.\n\n        \xef\x82\xb7\t Approximately 200 Install Accounts were within AD accounts. The FAM26\n           requires the removal of non-permanent (that is, visitor and training) user\n           accounts and passwords.\n\n        Each bureau and post is responsible for user account management, such as adding new\nusers and removing or modifying existing users\xe2\x80\x99 accounts. Additionally, the Department had not\ndeveloped and implemented processes and procedures to ensure that bureaus and posts\nperformed an annual review and recertification of users\xe2\x80\x99 privileges. Inadequate account and\nidentity management controls increase the risk that temporary and active accounts may be\naccessed and used by Department and contractor personnel to perform unauthorized activities,\nsuch as modifying or improperly releasing sensitive Department information or accessing and\nmodifying operating system software.\n\n        Recommendation 8. We recommend that the Chief Information Officer (CIO) develop\n        and implement Department of State processes and procedures to resolve weaknesses in\n        user accounts to ensure that unnecessary network user accounts are promptly removed by\n        the bureaus and posts. Further, the CIO should develop and implement procedures to\n        ensure that bureaus and organizational unit administrators annually review and recertify\n        access privileges of users so that the number of guest, test, and temporary accounts are\n        managed effectively as required by the Foreign Affairs Manual 12 FAM 622 and 12\n        FAM 629.\n\n\n22\n   12 FAM 629.2-2(c), \xe2\x80\x9cAdministrative Security \xe2\x80\x93 Password Controls.\xe2\x80\x9d\n\t\n23\n   12 FAM 632.1-4(d), \xe2\x80\x9cPassword Controls.\xe2\x80\x9d\n\t\n24\n   12 FAM 622.1-3(i).\n\t\n25\n   12 FAM 622.1-3(j).\n\t\n26\n   12 FAM 629.2-2(c), \xe2\x80\x9cAdministrative Security \xe2\x80\x93 Password Controls.\xe2\x80\x9d\n\t\n                                                      18\n                                             UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n\n        Management Response: The Department stated that it \xe2\x80\x9cagrees there is a potential risk\xe2\x80\x9d\n        with user accounts and that it will, begin \xe2\x80\x9cscoring stale accounts in iPost.\xe2\x80\x9d The\n        Department further stated that it will, in December 2011, \xe2\x80\x9cconduct a more complete\n        assessment of this problem and determine what prioritized mitigation actions are justified\n        by the current level of risk.\xe2\x80\x9d\n\n        The Department also stated that based on \xe2\x80\x9ca preliminary investigation of the accounts\n        identified as deficient by the OIG using a random sample of accounts in each of the\n        remaining categories,\xe2\x80\x9d it found that OIG \xe2\x80\x9chad overestimated the level of deficiency by a\n        large percentage.\xe2\x80\x9d\n\n        OIG Analysis: OIG considers this recommendation resolved, pending further action.\n        OIG has determined that accounts such as group mailboxes accounts and service accounts\n        that have not been used and are active are vulnerable to insider exploitation. The\n        Department should also consider the weaknesses identified in the user accounts analyses\n        when performing its own analyses. Because the Department has agreed to conduct a\n        more complete assessment of this problem, this recommendation can be closed when\n        OIG reviews and accepts documentation showing that the Department is properly\n        maintaining the Active Directory.\n\nF. The User Provisioning Process for Creating, Modifying, and Disabling\n   Users\xe2\x80\x99 Accounts Requires Significant Improvement\n        The Department\xe2\x80\x99s user provisioning process for creating, modifying, and disabling users\xe2\x80\x99\naccounts is not in compliance with the FAM. The FAM27 requires ISSOs to maintain all\npassword/receipt acknowledgement forms to comply with NIST SP 800-53.28 The FAM29 also\nstates the data center manager and the system manager, in conjunction with the ISSO, must\nrevoke user access privileges for employees and contractors who are transferred or terminated.\nWe found control deficiencies within the Department\xe2\x80\x99s user provisioning process as follows:\n\n        \xef\x82\xb7\t Two of 25 ClassNet Domain Administrators accounts did not have \n\n           corresponding individual user accounts, which results in no individual \n\n           accountability of actions for Domain Administrators. \n\n\n        \xef\x82\xb7\t Of 894 separated FTE accounts, 294 accounts were not terminated or\n           deactivated in a timely manner. In addition, of the 294 accounts that were\n           terminated, 104 had a remote access security token.\n\n        \xef\x82\xb7\t All 25 new user accounts created within the past fiscal year did not have\n           documentation (Password/Receipt Form) available for audit.\n\n        \xef\x82\xb7\t All seven network administrator accounts created within the past fiscal year\n           did not have documentation available for audit.\n27\n   12 FAM 622.5, \xe2\x80\x9cLog and Record Keeping.\xe2\x80\x9d\n\t\n28\n   NIST SP 800-53, rev. 3, Aug. 2009, Recommended Security Controls for Federal Information Systems and \n\nOrganizations. \n\n29\n   12 FAM 621.3-3, \xe2\x80\x9cSystem Access.\xe2\x80\x9d \n\n                                                     19\n                                             UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\n       \xef\x82\xb7\t One of 25 OpenNet domain administrators/administrators accounts was\n          used as a group account.\n\n       The user provisioning weaknesses occurred because the ISSOs are not performing their\nuser account responsibilities of creating, disabling, and reviewing user access in an effective\nmanner. The Department had not established the controls necessary to ensure the bureau and\npost ISSOs perform their duties effectively by disabling accounts.\n\n        These control weaknesses increase the potential that unauthorized activities can occur\nwithout timely detection, which adversely affects confidentiality, integrity, and availability of the\ndata on OpenNet and ClassNet. In addition, an ineffective user provisioning program and\nineffective procedures and practices increases the Department\xe2\x80\x99s risk of unauthorized users\nhaving access to the network to enable the performance of unauthorized activities such as\nmodifying Department sensitive data, improperly releasing sensitive data, or intentionally\ndestroying sensitive data.\n\n       Recommendation 9. We recommend that the Chief Information Officer (CIO) ensure\n       compliance with the account management process to make certain that user and\n       administrator accounts are created, modified, and deleted in a manner consistent with\n       Department of State policy. Further, the CIO needs to compare the terminated user\n       listings provided by bureau and post personnel officers with information contained in the\n       active directory on a quarterly basis to ensure that accounts for separated employees are\n       removed timely, as required by NIST SP 800-53, Revision 3, August 2009,\n       Recommended Security Controls for Federal Information Systems and Organizations,\n       and the Foreign Affairs Manual (12 FAM 621.3).\n\n       Management Response: The Department stated that the deactivation of accounts\n       recommendation is related to a financial audit. The Department further stated that it \xe2\x80\x9cwill\n       investigate the other findings within six months to determine their scope and materiality\n       to the security of the Department\xe2\x80\x9d and that based on the results of this review, it \xe2\x80\x9cwill\n       determine a risk-based and cost-effective solution to any issues identified,\xe2\x80\x9d which \xe2\x80\x9cmay\n       range from accepting the risk, to further corrective action.\xe2\x80\x9d\n\n       OIG Analysis: OIG considers this recommendation resolved, pending further action.\n       This recommendation can be closed when the Department provides documentation\n       showing proper maintenance related to creating, modifying, and deleting accounts and its\n       comparison of the terminated user listings provided by bureau and post personnel officers\n       and the information contained in the active directory on a quarterly basis to ensure that\n       accounts for separated employees are removed timely, as required by NIST SP 800 53,\n       Revision 3, and in a manner consistent with Department of State policy. Additionally the\n       Department\xe2\x80\x99s statement that the \xe2\x80\x9cdeactivation of accounts . . . is related to\xe2\x80\x9d the financial\n       systems audit presents the appearance that IRM does not fully understand that the\n       security weakness is an enterprise-wide vulnerability and is not isolated to the financial\n       systems. The financial systems of the Department are only a segment of the entire\n       enterprise. Since IRM has done an analysis on the account management on the financial\n       systems, the Department needs to consider taking further action for the remainder of the\n       enterprise.\n                                                 20\n                                        UNCLASSIFIED\n\x0c                                              UNCLASSIFIED\n\n\n\nG. Continuous Monitoring Program Needs To Be Improved\n        The Department had partially implemented a continuous monitoring program at the\norganization level and the system level in accordance with OMB30 and NIST SP 800-37.31\nHowever, the Department had not taken action to resolve the continuous monitoring control\ndeficiencies identified in the FY 2010 FISMA report Review of the Information Security\nProgram at the Department of State. We evaluated the Department\xe2\x80\x99s implementation of these\ncontinuous monitoring components and found deficiencies. (The deficiencies are detailed in\nAppendix H.) Therefore, the continuous monitoring program is only partially implemented.\n\n        At the organizational level, the ISSC had not developed a formal continuous monitoring\nstrategy that addresses framing risk, assessing risk, responding to risk, and monitoring risk in\naccordance with NIST SP 800-39. Department officials stated that the Department is\nimplementing continuous monitoring strategy at a cost-effective, risk-based level of detail and\nwill submit the strategy to the ISSC for approval.\n\n       At the system level, the Department uses the iPost system as its principal system for\nimplementing continuous monitoring organization-wide. For example, the Department performs\nvulnerability assessment scanning every 36 hours. However, this system has not been fully\nimplemented. The following conditions were reported in the FY FISMA 2010 report on the\nDepartment\xe2\x80\x99s information security program:\n\n        \xef\x82\xb7\t The scanning tools do not assess Oracle, the Department\xe2\x80\x99s most common\n           database system, and UNIX security configurations for configuration\n           control weaknesses, which could adversely impact application access\n           controls.\n\n        \xef\x82\xb7\t Scanning results for routers, firewalls, and Demilitarized Zone servers were\n           not available in iPost; therefore, these results were not used in risk scoring.\n\n       We found that the Department had not documented an enterprise-wide continuous\nmonitoring program strategy within its System Security Plans (SSP) to assist system owners in\nevaluating various control deficiencies. The evaluation identified 11 of 30 systems in which the\nsystem security plan lacked a continuous monitoring strategy for the system. The strategy was\nnot updated because the System Security Officer (SSO) did not update the SSPs in accordance\nwith NIST SP 800-53, Revision 3 and NIST SP 800-37. Specifically, NIST SP 800-37 requires\n\n30\n   OMB M-11-33 states, \xe2\x80\x9cAgencies should develop an enterprise-wide strategy for monitoring security controls on\nan ongoing basis. A robust and effective continuous monitoring program will ensure important procedures included\nin an agency\'s security authorization package (e.g., as described in system security plans, security assessment\nreports, and POA&Ms) are updated as appropriate and contain the necessary information for authorizing officials to\nmake credible risk-based decisions regarding the security state of the information system on an ongoing basis. This\nwill help make the security authorization process more dynamic and responsive to today\'s federal missions and\nrapidly changing conditions. NIST SPs 800-37, Revision 1; NIST SP 800-53, Revision 3; and NIST SP 800-53A\nRevision 1, provide guidance on continuous monitoring programs.\xe2\x80\x9d\n31\n   The security documentation needed for continuous monitoring, which includes security impact analyses, security\ncontrol assessments reports, plans of action and milestones, and authorization documentation, is described in NIST\n800-37, rev.1, Guide for Applying the Risk Management Framework to Federal Information Systems (Feb. 2010),\napp. G, \xe2\x80\x9cContinuous Monitoring\xe2\x80\x93Managing and Tracking the Security State of Information Systems.\xe2\x80\x9d\n                                                           21\n                                              UNCLASSIFIED\n\x0c                                            UNCLASSIFIED\n\n\nthat an organization-defined continuous monitoring strategy be implemented. NIST SP 800-53,\nRevision 332 requires that the organization establish a continuous monitoring strategy and\nimplement a continuous monitoring program that includes a configuration management process,\nsecurity impact analysis, ongoing security control assessment, and a method to report the\nsecurity state of the system to appropriate organizational officials. During the course of our\nevaluation, we inquired about the implementation of iPost on ClassNet and were informed that\niPost was not currently implemented. Therefore, we did not perform an assessment of any hosts\nor networks residing on ClassNet. Furthermore, we discovered that iPost was in production on\nClassNet as of August 2011, which exceeded our testing timeframe.\n\n       Additionally, the Government Accountability Office (GAO), in July 2011, issued a\ncontinuous monitoring report on the Department\xe2\x80\x99s iPost system.33 GAO stated the following\nconcerning iPost:\n\n        While State has reported success with implementing iPost to provide ongoing\n        monitoring of certain controls over Windows hosts on OpenNet and reporting the\n        status of these controls across the enterprise to appropriate officials, the\n        department faces an ongoing challenge in continuing this success because it does\n        not have a documented continuous monitoring strategy in place.\n\n        In addition to those weaknesses identified in the FY 2010 FISMA report on the\nDepartment\xe2\x80\x99s information security program and the specified weaknesses presented in the GAO\nreport, the FY 2011 evaluation identified weaknesses with the Department\xe2\x80\x99s existing continuous\nmonitoring approach to include the following:\n\n        \xef\x82\xb7\t The Department did not identify all Windows operating systems or \n\n           Department assets on OpenNet. \n\n\n        \xef\x82\xb7\t The Department did not take into consideration those security controls that\n           cannot be tested with automation (that is, physical and environmental\n           controls, effectiveness of the IT security training, and the newest family of\n           controls that deal with IT program management).\n\n        Not having a robust continuous monitoring program prevents an organization from fully\nunderstanding the security state of the information system over time. It also limits an\norganization\xe2\x80\x99s ability to effectively monitor its environment with changing threats,\nvulnerabilities, and technologies, thereby effecting missions/business functions. Without a fully\nimplemented continuous monitoring program, management cannot conduct ongoing\nauthorizations of information systems.\n\n        Recommendation 10. We recommend that the Information Security Steering Committee\n        develop, document, and implement an enterprise-wide continuous monitoring strategy\n        that addresses framing risk, assessing risk, responding to risk, and monitoring risk, as\n        required by NIST SP 800-39, Managing Information Security Risk.\n32\n NIST SP 800-53, CA-7, \xe2\x80\x9cContinuous Monitoring.\xe2\x80\x9d\n33\n Information Security: State Has Taken Steps To Implement a Continuous Monitoring Application, but Key\nChallenges Remain (GAO-11-149, July 8, 2011).\n                                                     22\n                                            UNCLASSIFIED\n\x0c                                            UNCLASSIFIED\n\n\n        Management Comments: The Department stated that it \xe2\x80\x9cagrees some increased level of\n        documentation,\xe2\x80\x9d as was recommended, \xe2\x80\x9cwould be valuable.\xe2\x80\x9d\n\n        OIG Analysis: OIG considers this recommendation resolved. The recommendation can\n        be closed when OIG reviews and accepts documentation showing that the ISSC has\n        developed, documented, and implemented an enterprise-wide continuous monitoring\n        strategy.\n\n        Recommendation 11. We recommend that the Chief Information Officer in\n        accordance with the requirements in NIST SP 800-39, Managing Information\n        Security Risk:\n\n        \xef\x82\xb7\t Implement a continuous monitoring strategy at the enterprise-wide level.\n\n        \xef\x82\xb7\t Obtain and use scanning software to enable effective scans of non-\n           Windows operating systems, databases, firewalls, routers, and switches.\n\n        \xef\x82\xb7\t Develop operating procedures to ensure the results are included in the Risk\n           Scoring Program dashboard.\n\n        \xef\x82\xb7\t Develop procedures to ensure that System Security Owners update the\n           system security plans to include a continuous monitoring strategy to detail\n           how system security controls are to be monitored.\n\n        Management Response: The Department stated that it is \xe2\x80\x9calready engaged in\xe2\x80\x9d efforts\n        pertaining to the scanning software, that it will \xe2\x80\x9cpursue [these efforts] with an appropriate\n        level of priority,\xe2\x80\x9d that it \xe2\x80\x9cwill expand the coverage of the risk scoring program,\xe2\x80\x9d and that\n        it \xe2\x80\x9cwill continue to expand coverage of risk in iPost.\xe2\x80\x9d As far as documenting a strategy in\n        its security plans, the Department stated that \xe2\x80\x9cthe continuous monitoring strategy is an\n        enterprise level strategy\xe2\x80\x9d and therefore \xe2\x80\x9cdoes not need to be addressed in detail in every\n        system security plan.\xe2\x80\x9d\n\n        Regarding implementation of a continuous monitoring strategy at the enterprise-wide\n        level, the Department stated that this implementation \xe2\x80\x9cwill require continuous\n        improvement and thus never be completed\xe2\x80\x9d and that its \xe2\x80\x9ccurrent continuous monitoring\n        implementation is being copied as a model by other government agencies and the private\n        sector.\xe2\x80\x9d\n\n        OIG Analysis: OIG considers this recommendation unresolved. Although OIG is aware\n        that the Department has received nation-wide recognition for its continuous monitoring\n        program, the Department must document a continuous monitoring strategy in every\n        security plan, as required by NIST.\n\n        Furthermore, in its response to the Government Accountability Office\xe2\x80\x99s July 2011 report\n        on information security,34 the Department responded as follows: \xe2\x80\x9cState officials\n34\n Information Security: State Has Taken Steps to Implement a Continuous Monitoring Application, but Key\nChallenges Remain (GAO 11-49, July 2011).\n                                                      23\n                                            UNCLASSIFIED\n\x0c                                                UNCLASSIFIED\n\n\n         indicated that the focus on Windows hosts for risk scoring was due, in part, because of\n         the desire to demonstrate success of the risk scoring program before considering other\n         types of network devices.\xe2\x80\x9d\n\n         Also, the Department needs to provide OIG documentation showing a documented\n         enterprise-wide level continuous monitoring strategy, scanning results of non-Windows\n         systems, operating procedures to include non-Windows scan results in iPost, and\n         continuous monitoring plans at the system level.\n\nH. The Continuity of Operations Program Needs to Be Improved\n       The Department\xe2\x80\x99s Continuity of Operations Program is not operating effectively and has\nnot been documented in accordance with NIST SP 800-34 and FCD-2.35 The Department is\nrequired by NIST to have a collection of plans to prepare for response, continuity, recovery, and\nresumption of mission/business processes and information systems.\n\n       We found that the Continuity of Operations Plan (COOP) Communication Plan (CCP) for\nemergency communications and the network had not been updated with significant changes since\n2008. The COOP CCP had not been updated in accordance with NIST SP 800-3436 because\nIRM focuses on the Bureau Emergency Action Plan (BEAP)37 instead of the CCP, which\ncontributes to the continuation of communications and the network for the entire Department.\nFor example, the following significant changes occurred but were not updated:\n\n         \xef\x82\xb7\t The mirrored data redundancy within OpenNet between the Enterprise\n            Service Operations Center (ESOC) East, the Harry S. Truman Building, and\n            the Beltsville Information Management Center.\n\n         \xef\x82\xb7\t The deployment of the SMART Core Messaging Application- Unclassified\n            and the SMART Core Messaging Application- Classified, which both\n            provide the ability to electronically release (send) and receive formal\n            Departmental messages, interest profiling, message archiving,\n            dissemination rules, and Role-Based Access Controls.\n\n         \xef\x82\xb7\t The retirement of the mainframes at the Department of State.\n\n35\n   Federal Continuity Directive 2 (FCD-2) (February 2008), \xe2\x80\x9cFederal Executive Branch Mission Essential Function\nand Primary Mission Essential Function Identification and Submission Process,\xe2\x80\x9d provides guidance and direction to\nFederal Executive Branch departments and agencies in the process for identifying their mission essential functions\n(MEFs), potential primary mission essential functions (PMEFs), and national essential functions (NEFs), and the\nBusiness Process Analysis (BPA) and Business Impact Analysis (BIA) that support and identify the relationships\nbetween these essential functions. It also provides guidance on the processes for conducting a BPA and BIA for\neach of the potential PMEFs that assist in identifying essential function relationships and interdependencies, time\nsensitivities, threat and vulnerability analyses, and mitigation strategies that affect and support the PMEFs. Also, see\nFDC-1, Federal Executive Branch National Continuity Program and Requirements, from which FCD-2 is derived.\n36\n   NIST SP 800-34, rev. 1, Contingency Planning Guide for Federal Information Systems, May 2010 (last updated\nNov. 11, 2010).\n37\n   6 FAM 422.3(a), \xe2\x80\x9cBureau Emergency Action Plan (BEAP),\xe2\x80\x9d defines a BEAP as a \xe2\x80\x9cbureau-specific plan used to\ndescribe actions taken to ensure the safety of Department employees and to ensure bureau readiness to continue\nMEFs across a wide range of domestic emergencies that impact the Department.\xe2\x80\x9d\n                                                            24\n                                                UNCLASSIFIED\n\x0c                                           UNCLASSIFIED\n\n\n\n           \xef\x82\xb7\t The development of the new data center ESOC West.\n\n           In addition, we identified the following deficiencies:\n\n           \xef\x82\xb7\t IRM had not documented an entity-wide Business Impact Analysis (BIA) to ensure\n              the coordination of the recovery prioritizations of critical mission/business processes\n              and services in the event of a disruption within the ESOC. The BIA had not been\n              documented because IRM does not think that the entity-wide BIA applies to its\n              contingency planning process. However, NIST SP 800-34, Revision 1,38 states that\n              the BIA helps identify and prioritize information systems and components critical to\n              supporting the organization\xe2\x80\x99s mission/business processes.\n\n           \xef\x82\xb7\t The entity-wide process-based BIA, which supports COOP functions developed by\n              the Office of Emergency Management (OEM) to support Federal Continuity\n              Directive 2 (FCD-2), does not agree with the OpenNet Contingency Plan. For\n              example, OEM officials stated that the infrastructure should not be interrupted in the\n              event of a disaster, and IRM officials stated that the infrastructure Maximum\n              Tolerable Downtime is 24 hours. The inconsistency between the two documents\n              occurred because the Department does not require OEM and IRM to coordinate with\n              the continuity of operations planning. According to NIST SP 800-34, Revision 1,\n              information systems that support COOP functions will be identified in the process-\n              based BIA.\n\n       An out-of-date COOP CCP increases the risk that the Department may not be able to\nrecover in a timely manner or may experience difficulty in recovering from a disaster.\nAdditionally, the IRM CCP supports the Department COOP; therefore, the COOP relies upon the\nCCP to be current. Without a BIA, there is an increased risk that the Department will not\nrecover mission-critical functions based on established recovery priorities. Additionally, the lack\nof communication between OEM and IRM may cause incongruent requirements and the\nexpectations in the availability of the infrastructure in the event of a disaster.\n\n           Recommendation 12. We recommend that the Chief Information Officer, as required by\n           NIST SP 800-34, Revision 1, \xe2\x80\x9cContingency Planning Guide for Federal Information\n           Systems,\xe2\x80\x9d take the following actions:\n\n           \xef\x82\xb7\t Update the Continuity of Operations Communication Plan annually or\n              when changes occur to the organization, network hardware, systems, and\n              applications and, if necessary, after Continuity Testing.\n\n           \xef\x82\xb7\t Perform an entity-wide Business Impact Analysis and develop a strategy to\n              prioritize recovery of the critical assets within the Department of State.\n\n           \xef\x82\xb7\t Update the Foreign Affairs Manual that contains guidance and direction for\n              development and implementation of Continuity of Operations\n              Communication Plan.\n\n38\n     NIST SP 800-34, rev. 1.\n                                                    25\n                                           UNCLASSIFIED\n\x0c                                              UNCLASSIFIED\n\n\n           Management Response: The Department indicated that it would take the actions\n           recommended except for performing an entity-wide BIA and developing a strategy to\n           prioritize recovery of the critical assets.\n\n           OIG Analysis: OIG considers this recommendation unresolved. This recommendation\n           can be resolved when the Department agrees to perform an entity-wide BIA and develop\n           a strategy to prioritize the recovery of the critical assets. The Department also needs to\n           provide OIG documentation showing that the Department is updating the Continuity of\n           Operations Communication Plan annually or when changes occur and provide evidence\n           that the FAM has been updated to include guidance on the development and\n           implementation of the Communication Plan.\n\n           Recommendation 13. We recommend that the Bureau of Administration,\n           Office of Emergency Management, in coordination with the Chief Information\n           Officer, align the Business Impact Analysis of the Primary Mission Essential\n           Functions with the Bureau of Information Resource Management\xe2\x80\x99s Maximum\n           Tolerable Downtime for the network as required by NIST SP 800-34, Revision\n           1, Contingency Planning Guide for Federal Information Systems.\n\n           Management Response: The Department stated that it \xe2\x80\x9cconsiders the documents already\n           aligned\xe2\x80\x9d but that it would develop criteria to determine when the BIA and the Department\n           GSS downtime is \xe2\x80\x9cadequately coordinated\xe2\x80\x9d and \xe2\x80\x9cverify that these criteria are met.\xe2\x80\x9d\n\n           OIG Analysis: OIG considers this recommendation resolved. This recommendation can\n           be closed when OIG reviews and accepts documentation showing that the Department\n           has updated the Foreign Affairs Manual and the Continuity of Operations\n           Communication Plan and that is has aligned the BIA of the Primary Essential Functions\n           with the Maximum Tolerable Downtime of the network.\n\nI. Information System Contingency Plans Needs To Be Improved\n       The Department needs to improve the information system contingency planning program.\nAn effective contingency planning program is designed to mitigate the risk of system and service\nunavailability by providing effective and efficient solutions to enhance system availability.\n\n       We found that information system contingency plans (ISCP) had not been documented in\naccordance with NIST SPs 800-34, Revision 1, and 800-53, Revision 3, and with the FAM.39 In\nour sample of 25 systems, we found the following deficiencies:\n\n           \xef\x82\xb7\t Three systems\xe2\x80\x93OpenNet, WebPass, and TDS Contingency Plans (CP)\xe2\x80\x93had\n              not documented an alternate recovery site. According to NIST SPs 800-34,\n              Revision 1, and 53, Revision 3, agencies are required to identify an\n              alternate storage site that is geographically separated from the primary\n              storage site so that the alternate site is not susceptible to the same hazards.\n\n\n39\n     5 FAM 1064.2, \xe2\x80\x9cContingency Planning and Continuity of Operations.\xe2\x80\x9d\n                                                       26\n                                              UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n\n        \xef\x82\xb7\t One system\xe2\x80\x93State Messaging and Archive Retrieval Toolset (SMART) -\n           Classified system\xe2\x80\x93did not have a CP. The FAM40 states that system owners\n           and non-Department entities are required to develop and maintain\n           contingency plans for the major applications and general support systems\n           under their control that process, store, or transmit Federal information.\n\n        \xef\x82\xb7\t Two systems\xe2\x80\x93eCountryClearance (eCC) and Secure Integrated Logistics\n           Management System (S-ILMS)\xe2\x80\x93CPs were not sufficiently detailed to\n           enable the proper recovery and damage assessment. NIST SP 800-34,\n           Revision 1,41 requires the agency to address specific actions the\n           organization should take following a system disruption or an emergency.\n           Plans should be formatted to provide quick and clear directions in the event\n           that personnel unfamiliar with the plan or the systems are called upon to\n           perform recovery operations.\n\n        \xef\x82\xb7\t Fifteen systems did not document the annual backup test, as required by\n           NIST42 for moderate- and high-impact systems, to verify media reliability\n           and information integrity. (Systems that did not have annual backup testing\n           are described in Appendix F).\n\n        \xef\x82\xb7\t Three systems\xe2\x80\x93OpenNet, WebPass, and TDS\xe2\x80\x93had not documented backup\n           procedures.\n\n        The control deficiencies occurred within the contingency planning program because the\nDepartment relies extensively on the system owners and bureaus to execute the Department\xe2\x80\x99s\npolicies, establish and implement internal procedures, and ensure compliance with NIST SP 800-\n34, Revision 1.\n\n       Additionally, the Department had not developed reporting requirements for obtaining\nassurance of performance from the system owners and bureaus. By inadequately documenting\nthe contingency plan, there is an increased risk that the Department will not be able to recover its\nmission-critical systems timely in the event of a significant disruption. Also, the Department\nincreases the risks that it will not be able to meet its mission requirements and continue normal\nbusiness activities.\n\n        Recommendation 14. As required by National Institute of Standards and Technology\n        (NIST) Special Publications (SP) 800-34, Revision 1, Contingency Planning Guide for\n        Federal Information Systems, and SP 800-53, Revision 3, Recommended Security\n        Controls for Federal Information Systems and Organizations, we recommend that the\n        Bureau of Information Resource Management, Office of Information Assurance, in\n        coordination with the bureaus and system owners, take the following actions:\n\n\n40\n   5 FAM 1064.2(a)(1). \n\n41\n   NIST SP 800-34, rev. 1, Contingency Planning Guide for Federal Information Systems (May 2010) (last updated\n\t\nNov. 11, 2010). \n\n42\n   NIST SP 800-53, rev. 3, Recommended Security Controls for Federal Information Systems and Organizations\n\n(Aug 2009).\n\t\n                                                      27\n                                             UNCLASSIFIED\n\x0c                               UNCLASSIFIED\n\n\n\n\xef\x82\xb7\t Document and maintain alternate site locations and procedures for\n   accessing an alternate site.\n\n\xef\x82\xb7\t Develop and maintain contingency plans for all major applications and\n   general support systems.\n\n\xef\x82\xb7\t Maintain and update recovery and restoration procedures for all\n   applications and general support systems.\n\nManagement Response: The Department stated it \xe2\x80\x9cwill document compliance and/or\nnon-compliance to the OIG findings and take the necessary corrective action.\xe2\x80\x9d\n\nOIG Analysis: OIG considers this recommendation resolved. This recommendation can\nbe closed when OIG reviews and accepts documentation showing that the Department\nhas documented and is maintaining and updating the contingency plan program\ndocumentation.\n\nRecommendation 15. As required by National Institute of Standards and Technology\n(NIST) Special Publications (SP) 800-34, Revision 1, Contingency Planning Guide for\nFederal Information Systems and SP 800-53, Revision 3, Recommended Security\nControls for Federal Information Systems and Organizations, we recommend that the\nChief Information Officer:\n\n\xef\x82\xb7\t Revise the Information Resource Management/ Information Assurance\n   Contingency Plan Test Review checklist to address the following items:\n\n           o\t Recovery and damage assessment procedures\n\n           o\t Alternate recovery site details\n\n           o\t Back-up procedures\n\n           o\t Back-up test results for moderate- and high-impact systems\n\n\xef\x82\xb7\t Revise the Contingency Plan Policy to include an organization-defined\n   frequency for backup testing.\n\n\xef\x82\xb7\t Revise the Foreign Affairs Manual to require system owners to report to\n   IRM/IA on the test results and updates to the contingency plans.\n\nManagement Response: The Department stated it \xe2\x80\x9cwill document compliance and/or\nnon-compliance to the OIG findings and take the necessary corrective action.\xe2\x80\x9d\n\nOIG Analysis: OIG considers this recommendation resolved. This recommendation can\nbe closed when OIG reviews and accepts documentation showing that the Department\nhas updated the FAM policy regarding backup and updates to the contingency plans, has\nupdated the Contingency Plan Test Review checklist, and has remediated deficiencies\nfound within the individual information system contingency plans.\n                                        28\n                               UNCLASSIFIED\n\x0c                                          UNCLASSIFIED\n\n\n\nJ. Oversight of Contractor Systems and Extensions Needs Improvement\n        The Department had not implemented an effective program for the oversight of\ncontractor systems and contractor extensions (remote network connections to Department\nsystems). Although the Department established initial contract agreements and conducted initial\nrisk assessments for contractor extensions, we noted several deficiencies. For example, COCO\nsystems did not have security-related documentation. The FAM43 and NIST SP 800-4744 require\nthat the Department document the interconnection agreements between the network and the\ncontractor with language similar to that contained in a memorandum of understanding (MOU)\nand an interconnection security agreement (ISA). The agreement must be submitted to IRM/IA.\n\n       Specifically, for COCO systems, IRM/IA did not provide documentation for the\nfollowing:\n\n        \xef\x82\xb7\t For all five COCO systems, a contractor agreement and system security\n           documentation were lacking for the State Assistance Management System\n           (SAMS); the Consular Visa System (CVS); the Antiterrorism Assistance\n           (ATA) Student Database; the Foreign Service Office Tester (FSOT) system,\n           and the Gateway to State (GTS). The Department relies on a decentralized\n           security program whereby system owners/bureaus are responsible for\n           overseeing COCO systems that provide services to a bureau.\n\n        \xef\x82\xb7\t Of five COCO systems, ATOs were not made available for review for four\n           systems (SAMS, CVS, ATA database, and FSOT). According to OMB,45\n           the Department must assess security controls in accordance with NIST\n           guidelines for contractor systems that collect, process, maintain, and house\n           Government information.\n\n       The list of OpenNet extensions does not contain a complete inventory of workstations at\nother Government agencies. For example, OpenNet terminals (workstations) were observed by\nan OIG audit team at International Boundary and Water Commission (IBWC) and Broadcasting\nBoard of Governors (BBG) offices. These connections are not on the list of OpenNet extensions.\nThe Department tracks only OpenNet extensions at contractor sites and vendors and does not\ninclude other third parties, such as Government agencies.\n\n        We also found that the Department did not have an effective mechanism in place to\nidentify the total number of contractors\xe2\x80\x99 personnel who had access to and privileges within the\nDepartment\xe2\x80\x99s network, applications, databases, and data. OMB Memorandum M-11-33 states:\n\xe2\x80\x9cAgencies must develop policies for information security oversight of contractors and other users\nwith privileged access to Federal data. Agencies must also review the security of other users\nwith privileged access to Federal data and systems.\xe2\x80\x9d\n\n\n43\n   5 FAM 1065.3-1, \xe2\x80\x9cRequests for Interagency and Non-Department Connectivity.\xe2\x80\x9d\n\t\n44\n   NIST SP 800-47, Security Guide for Interconnecting Information Technology Systems,, Aug 2002. \n\n45\n   OMB Memorandum M-10-15, FY 2010 Reporting Instructions for the Federal Information Security Management\n\nAct and Agency Privacy Management.\n\n                                                        29\n                                          UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\n        The Department\xe2\x80\x99s contractor oversight process is decentralized whereby the Department\nassigns responsibility to the bureaus and posts and the system owner to provide better contractor\noversight. For instance, to obtain information on the total number of Department contractor\npersonnel, personnel from each Department bureau and office would have to be contacted. The\nDepartment had not established procedures to identify the number of contractors. DS and HR\nofficials stated that they are collaborating to develop a Contractor Personnel Support System.\nAccording to DS officials, once the system is fully implemented and integrated with other\nsystems, it will provide contractor oversight information for the Department.\n\n        Without adequate contractor oversight, the Department has minimal assurance that\nCOCO systems, contractor extensions, and contractor personnel are compliant with FISMA,\nOMB requirements, and NIST standards. Additionally, without oversight, there is an increased\nrisk that Department data collected, processed, and maintained can be exposed to unauthorized\naccess, use, disclosure, disruption, modification, or destruction.\n\n       Recommendation 16. We recommend that the Chief Information Officer, as required by\n       the Foreign Affairs Manual (5 FAM 1065.3) and the National Institute of Standards and\n       Technology Special Publication 800-47, Security Guide for Interconnecting Information\n       Technology Systems, take the following actions:\n\n       \xef\x82\xb7\t   Ensure that the contractor oversight program complies with Office of Management\n            and Budget, Federal Information Security Management Act, National Institute of\n            Standards and Technology, and the Foreign Affairs Manual security policies,\n            standards, and requirements for managing Contractor Owned Contractor Operated\n            systems; specifically, all security-related documentation for such systems should be\n            retained.\n\n       \xef\x82\xb7\t   Implement a COCO system security program whereby COCOs are overseen by the\n            Bureau of Information Resource Management/Information Assurance.\n\n       Management Response: The Department indicated that it will align its contractor\n       oversight program with Federal standards and guidelines. However, the Department\n       stated that it \xe2\x80\x9cdoes not agree that [the] assignments [to implement a program whereby\n       COCOs are overseen by IRM/IA] need to be changed.\xe2\x80\x9d\n\n       OIG Analysis: OIG considers the recommendation unresolved. Because contractor\n       systems pose an even greater security risk because of the lack of Department presence, a\n       COCO system security program overseen by IRM/IA is needed, and the Department\n       needs to this action. Regarding the contractor oversight program, the Department needs\n       to provide OIG documentation showing that it has aligned its contractor oversight\n       program with Federal standards and guidelines.\n\n       Recommendation 17. We recommend that the Bureau of Diplomatic Security develop\n       and implement new and enhanced security requirements to coordinate security activities\n       for tracking all extensions (that is, contractor sites, other Government agencies, and third-\n       party vendors) to OpenNet and ClassNet, as required by the Office of Management and\n\n                                                30\n                                        UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\n       Budget Memorandum M-11-33, FY 2011 Reporting Instructions for the Federal\n       Information Security Management Act and Agency Privacy Management.\n\n       Management\xe2\x80\x99s Response: The Department stated that it \xe2\x80\x9cwill verify\xe2\x80\x9d that all\n       Department computers at other Federal agencies \xe2\x80\x9care clearly documented\xe2\x80\x9d and that it\n       had not found any \xe2\x80\x9cdefects with regard to the process for contractor sites.\xe2\x80\x9d\n\n       OIG Analysis: OIG considers this recommendation resolved. This recommendation can\n       be closed when OIG reviews and accepts documentation showing that the Department\n       has developed and is implementing new and enhanced security requirements to\n       coordinate security activities for tracking all extensions to include contractor sites.\n\n       Recommendation 18. We recommend that the Bureau of Diplomatic Security, in\n       coordination with the Bureau of Administration, establish procedures to identify the total\n       number of contractors who have access to Department of State systems, as required by\n       Office of Management and Budget Memorandum M-11-33, FY 2011 Reporting\n       Instructions for the Federal Information Security Management Act and Agency Privacy\n       Management.\n\n       Management Comments: The Department stated that it does not agree with the\n       recommendation because \xe2\x80\x9cknowing the exact total number of contractors (a continuously\n       changing number)\xe2\x80\x9d does not impact the security of the Department and OMB\n       Memorandum M-11-33 does not require this.\n\n       OIG Analysis: OIG considers this recommendation unresolved. OMB Memorandum\n       M-11-33 requires that agencies provide security training and awareness to all employees,\n       including contractors, and further requires agencies to develop policies for information\n       security oversight of contractors and other users who have privileged access to Federal\n       data. This recommendation can be resolved when the Department agrees to take action to\n       identify its total number of contractors.\n\nK. Capital Planning Requires Improvement\n        We found that information security was not fully integrated into the Department\xe2\x80\x99s Capital\nPlanning and Investment Control (CPIC) process. As a result, management may be unaware of\nthe Department\xe2\x80\x99s complete IT security portfolio. CPIC is the decision-making process for\nensuring that IT investments integrate strategic planning, budgeting, procurement, and IT\nsecurity in support of agency missions and business needs. OMB Memorandum 11-33 mandates\nthe Department integrate and fund IT security over the lifecycle of each system. The\nmemorandum also states that security requirements for a steady state system, which is an\nexisting system, that generates maintenance and operation costs at current capability and\nperformance level must be met before new funds are spent on new systems or an existing system\nis modernized.\n\n\n\n\n                                               31\n                                       UNCLASSIFIED\n\x0c                                               UNCLASSIFIED\n\n\n        For four46 of 10 appropriated IT security investments reviewed, the Department did not\nprovide documentation showing obligations and expenditures. Approximately $164 million was\nappropriated for the IT security investments; however, because of the lack of documentation for\nthe project expenditures, there is an increased risk associated with the potential inability to\nachieve overall security program objectives within defined cost, schedule, and technical\nconstraints. The CIO did not comply with provisions of the Clinger-Cohen Act of 1996, which\nrequire assumption of responsibility and accountability for IT investments. Inadequate\nmonitoring shows a lack of accountability once funds are approved.\n\n         We identified the following control weaknesses related to the CPIC process:\n\n         \xef\x82\xb7\t The Department did not provide OMB with required information related to\n            IT security investments that have a significant dependency for the IT\n            Infrastructure major investment. In a sample of 10 non-major investments\n            that made up the IT Infrastructure major investment, we found none of the\n            10 investments were identified by the unique project identifier (UPI) in\n            OMB Circular A-1147 Exhibit 300, 48 even though OMB requires an agency\n            to report IT security initiatives and investments not directly tied to a major\n            investment on a separate line identified as \xe2\x80\x9cnon-major.\xe2\x80\x9d By not including\n            IT security investments that have a significant dependency on the IT\n            infrastructure major investment in the exhibit 300, OMB does not have an\n            accurate amount spent on IT security.\n\n         \xef\x82\xb7\t IT security costs from the Department\xe2\x80\x99s Plans of Actions and Milestones\n            (POA&Ms) are not captured in the capital planning process. Specifically,\n            the Department\xe2\x80\x99s implementation of the POA&M process did not reflect the\n            unique project identifiers (UPI)49 for each corrective action plan as required\n            by OMB.50 According to OMB, security costs identified in POA&Ms are\n            required to be captured within each investment\xe2\x80\x99s Exhibit 300 and\n            summarized to Exhibit 53.51\n\n                IRM had not developed procedures to reflect guidelines contained in the FY 2010\n         OMB Circular A-11, which states that non-major investments that are directly tied to\n         major investments can be collapsed into a major investment. The Department was not\n         aware of the OMB52 requirement that each POA&M must have a unique project\n\n46\n   The four systems are Department Bandwidth Management, Foreign Affairs Network, IT Infrastructure\xe2\x80\x93IRM, and \n\nEnterprise Network Management. \n\n47\n   OMB Circular A-11, Preparation, Submission, and Execution of the Budget.\n\n48\n   Exhibit 300, Capital Asset Plan and Business Case Summary, is the document OMB uses to assess investments \n\nand ultimately make funding decisions. The exhibit also provides OMB with a robust assessment of the investment \n\nand is the vehicle for IT investments to justify lifecycle and annual funding requests to OMB. \n\n49\n   UPIs consist of the identifier depicting agency code, bureau code, mission area (where appropriate), part of the\n\t\nexhibit where investment will be reported (Exhibit 300), type of investment, agency four-digit identifier, and two-\n\ndigit investment category code.\n\n50\n   OMB Memorandum M-02-01, Guidance for Preparing and Submitting Security Plans of Action and Milestones.\n\n51\n   Exhibit 53, Agency IT Investment Portfolio, provides an overview of the agency\xe2\x80\x99s entire IT portfolio by listing\n\t\nevery IT investment, lifecycle, and budget-year cost information.\n\n52\n   OMB Memorandum M-02-01, Guidance for Preparing and Submitting Security Plans of Action and Milestones.\n\n                                                            32\n                                               UNCLASSIFIED\n\x0c                                UNCLASSIFIED\n\n\nidentifier. Without providing proper justification for funds, the Department\xe2\x80\x99s\naccountability of the IT Infrastructure investment is not fully supported. The lack of\nintegration between the POA&M process and the capital planning process negatively\naffects the fund prioritization among the IT investments. Ultimately, inadequate\noversight increases the risk of unapproved investments being funded.\n\nRecommendation 19. We recommend that the Chief Information Officer, as required by\nOffice of Management and Budget (OMB) Memorandum M-11-33, FY 2011 Reporting\nInstructions for the Federal Information Security Management Act and Agency Privacy\nManagement, and OMB Circular No. A\xe2\x80\x9311, Preparation, Submission, and Execution of\nthe Budget:\n\n\xef\x82\xb7\t Ensure that the Bureau of Information Resource Management/ Business Management\n   and Planning track all obligations and expenditures for information technology\n   security investments.\n\n\xef\x82\xb7\t Provide a summary of non-major investments that make up the information\n   technology Infrastructure and other major investments.\n\n\xef\x82\xb7\t Include the Unique Project Identifier in the Department of State\xe2\x80\x99s Plans of Action and\n   Milestones database.\n\nManagement Response: The Department stated that it \xe2\x80\x9cagree[d]\xe2\x80\x9d with this\nrecommendation \xe2\x80\x9cbut not the authorities cited.\xe2\x80\x9d However, it stated that it will track and\ninclude a summary report for all obligations and expenditures for all IT projects that have\na material level of funding or significant security risk and that it will \xe2\x80\x9c[i]nclude UPIs in\nthe Department\xe2\x80\x99s POA&M for each system.\xe2\x80\x9d\n\nOIG Analysis: OIG considers this recommendation resolved. This recommendation can\nbe closed when OIG reviews and accepts documentation showing that the Department is\ntracking all obligations and expenditures for all IT projects and including UPIs in its\nPOA&M for each system.\n\n\n\n\n                                         33\n                                UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\n                    OIG Additional Analyses of Management Comments\n\n        In its response to the draft report, the Department provided additional comments and\ninformation that were not recommendation specific. These comments and OIG\xe2\x80\x99s responses are\nas presented.\n\nContinuous Monitoring\n\n        The Department stated that it disagreed with OIG that continuous monitoring,\nas currently conducted, produced lower risk than a traditional C&A program, and on\nthe relative importance of completeness and compliance vs. timeliness and risk-based\nprioritization. Having carefully considered these factors, the Department is convinced\nits continuous monitoring program, which is 300 times more timely than traditional\nthree-year reauthorizations, produces significantly lower security risk on its\nnetworks.\xe2\x80\x9d\n\n        OIG continues to support the concept of continuous monitoring. However, as\nimplemented within the Department, compounded with the lack of documentation that exists,\nthose deficiencies represent a serious internal control weaknesses. While the Department has\nrepeatedly questioned the accuracy of the examples provided by OIG to support the weaknesses\nidentified in this report, the Department has not refuted these weaknesses.\n\nRisk-Based Versus Compliance-Based Assessment\n\n         Regarding the Department\xe2\x80\x99s comments on risk-based versus compliance-based\nassessment of the information security program, OIG maintains that the lack of security controls\n(internal controls) in the supporting general support systems constitutes a substantial risk to\ninformation and information systems. The Department\xe2\x80\x99s inability to produce a continuous\nmonitoring and risk management strategy reinforces OIG\xe2\x80\x99s position regarding a defined\napproach to addressing risk and taking corrective actions. Because IRM cannot provide a\nrepeatable process used to identify and correct weaknesses that can be continued by others, OIG\nis unable to assess the effectiveness of the existing \xe2\x80\x9crisk-based\xe2\x80\x9d process. Currently, the process\nis under the sole control of limited personnel within IRM and is not fully vested with others\nresponsible for involvement in the risk based decision making for the Department. Furthermore,\nbecause the continuous monitoring and risk management strategies are not documented, the\nability to continue making decisions that are based on management having an accurate\nrepresentation of the vulnerabilities in the Department\xe2\x80\x99s information security program is\nquestionable. These factors alone contribute to the risk to the Department but if some\ncatastrophic event occurs to the few IRM employees who are currently managing the continuous\nmonitoring and risk management strategies the ability to continue would be hampered because\nthere is no documentation to explain how the process is supposed to be working.\n\nCompleteness and Timeliness\n\n        Regarding the statements concerning completeness and timeliness, OIG agrees that the\npast 3-year cycle of FISMA did not present a current state of the security controls in an\n                                                34\n                                       UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\ninformation system. However, the continuous monitoring approach does not provide a complete\nstate of information system security controls. The current implementation tests a limited number\nof the security controls repeatedly, but it does not provide a methodology to test all of the\nsecurity controls over the life of the security authorization, as required by NIST. Although the\ncurrent process does provide a timely response to a small subset of the security controls, it lacks\na strategy to explain how other controls are tested and allows the majority of security controls to\nbe untested. Since many of these controls require a manual assessment to determine the degree\nof effectiveness over the course of the security authorization, the inability of the Department to\ndocument the continuous monitoring strategy and a lack of plan of action and milestones to enact\ncorrective actions place the Department\xe2\x80\x99s vital information and information systems at\nsignificant risk.\n\n\n\n\n                                                35\n                                        UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\n                          List of Current Year Recommendations\n\nRecommendation 1. We recommend that the Information Security Steering\nCommittee (ISSC) meet on a monthly basis to fulfill its purpose and responsibilities as\nrequired in ISSC charter.\n\nRecommendation 2. We recommend that the Information Security Steering\nCommittee improve its risk management strategy at the organizational level for\nassessing, responding to, and monitoring information security risk as required in the\nForeign Affairs Manual and the National Institute of Standards and Technology\nSpecial Publication 800-39.\n\nRecommendation 3. We recommend that the Chief Information Officer:\n\n       \xef\x82\xb7\t Improve oversight of the security assessment and authorization process for\n          the Department\xe2\x80\x99s information systems, especially the OpenNet General\n          Support System (GSS) and ClassNet GSS as required by the National\n          Institute of Standards and Technology (NIST) (SP) 800-37.\n       \xef\x82\xb7\t Improve existing procedures to ensure security authorization packages are\n          updated every 3 years or when a significant change occurs or develop a\n          risk-based approach for implementing a continuous monitoring strategy as\n          required by NIST SP 800-37.\n       \xef\x82\xb7\t Improve existing procedures to ensure Systems Security Plans and Systems\n          Assessment Reports are updated as required to comply with the security\n          baseline controls contained in NIST SP 800-53 (Revision 3).\n       \xef\x82\xb7\t Perform annual security assessments of a subset of a system\xe2\x80\x99s security\n          controls as required by NIST SP 800-37.\n\nRecommendation 4. We recommend that the Chief Information Officer expedite the\nInformation Resource Management, Operations, Enterprise Network Management and\nDiplomatic Security, Security Infrastructure, Office of Computer Security process to\nfinalize and implement the elements within the Cyber Security Architecture draft target\narchitecture and initiative for end-to\xe2\x80\x93end configuration management and take\nimmediate action to correct or mitigate the high risk vulnerabilities identified by the\nvulnerability scanning as required by the Foreign Affairs Manual and Diplomatic\nSecurity System Configuration Policy and Procedures.\n\nRecommendation 5. We recommend that the Chief Information Officer and the\nBureau of Diplomatic Security ensure, for significant security responsibility (SSR)\ntraining, that personnel designated as having SSR responsibilities receive the\nappropriate training as required by the Information Assurance Training Plan.\n\nRecommendation 6. We recommend that the Chief Information Officer implement,\nfor Security Awareness Training, automated methods to replace the current manual\nprocess to track and enforce the Department of State security awareness policy and to\nsuspend a user\xe2\x80\x99s access to the network if the user has not taken the Cyber Security\n\n                                                36\n                                       UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\nAwareness course within the required timeframe as required by the Information\nAssurance Training Plan.\n\nRecommendation 7. We recommend that the Chief Information Officer:\n\n       \xef\x82\xb7\t Implement a Plans of Action and Milestones (POA&M) tracking process\n          for all ClassNet security weaknesses as required by Committee on National\n          Security Systems Policy Number 22, Information Assurance Risk\n          Management Policy for National Security Systems.\n       \xef\x82\xb7\t Distribute the quarterly POA&M Grade Memorandums to the bureaus\xe2\x80\x99 and\n          offices\xe2\x80\x99 senior management (executive director) as required by M-04-25,\n          FY 2004 Reporting Instructions for the Federal Information Security\n          Management Act.\n       \xef\x82\xb7\t Ensure that the POA&M completion dates and the required resources for\n          OpenNet corrective actions are updated as required by OMB Memorandum\n          M-04-25.\n\nRecommendation 8. We recommend that the Chief Information Officer (CIO) develop and\nimplement Department of State processes and procedures to resolve weaknesses in user accounts\nto ensure that unnecessary network user accounts are promptly removed by the bureaus and\nposts. Further, the CIO should develop and implement procedures to ensure that bureaus and\norganizational unit administrators annually review and recertify access privileges of users so that\nthe number of guest, test, and temporary accounts are managed effectively as required by the\nForeign Affairs Manual 12 FAM 622 and 12 FAM 629.\n\nRecommendation 9. We recommend that the Chief Information Officer (CIO) ensure\ncompliance with the account management process to make certain that user and administrator\naccounts are created, modified, and deleted in a manner consistent with Department of State\npolicy. Further, the CIO needs to compare the terminated user listings provided by bureau and\npost personnel officers with information contained in the active directory on a quarterly basis to\nensure that accounts for separated employees are removed timely, as required by NIST SP 800-\n53, Revision 3, August 2009, Recommended Security Controls for Federal Information Systems\nand Organizations, and the Foreign Affairs Manual (12 FAM 621.3).\n\nRecommendation 10. We recommend that the Information Security Steering Committee\ndevelop, document, and implement an enterprise-wide continuous monitoring strategy that\naddresses framing risk, assessing risk, responding to risk, and monitoring risk, as required by\nNIST SP 800-39, \xe2\x80\x9cManaging Information Security Risk.\xe2\x80\x9d\n\nRecommendation 11. We recommend that the Chief Information Officer in accordance with the\nrequirements in NIST SP 800-39, Managing Information Security Risk:\n\n       \xef\x82\xb7\t Implement a continuous monitoring strategy at the enterprise-wide level.\n\n       \xef\x82\xb7\t Obtain and use scanning software to enable effective scans of non-\n          Windows operating systems, databases, firewalls, routers, and switches.\n\n                                                37\n                                        UNCLASSIFIED\n\x0c                                      UNCLASSIFIED\n\n\n\n       \xef\x82\xb7\t Develop operating procedures to ensure the results are included in the Risk\n          Scoring Program dashboard.\n\n       \xef\x82\xb7\t Develop procedures to ensure that System Security Owners update the\n          system security plans to include a continuous monitoring strategy to detail\n          how system security controls are to be monitored.\n\nRecommendation 12. We recommend that the Chief Information Officer, as required\nby NIST SP 800-34, Revision 1, Contingency Planning Guide for Federal Information\nSystems, take the following actions:\n\n       \xef\x82\xb7\t Update the Continuity of Operations Communication Plan annually or\n          when changes occur to the organization, network hardware, systems, and\n          applications and, if necessary, after Continuity Testing.\n\n       \xef\x82\xb7\t Perform an entity-wide Business Impact Analysis and develop a strategy to\n          prioritize recovery of the critical assets within the Department of State.\n\n       \xef\x82\xb7\t Update the section of the Foreign Affairs Manual that contains guidance\n          and direction for development and implementation of Continuity of\n          Operations Communication Plan.\n\nRecommendation 13. We recommend that the Bureau of Administration, Office of\nEmergency Management, in coordination with the Chief Information Officer, align the\nBusiness Impact Analysis of the Primary Mission Essential Functions with the Bureau\nof Information Resource Management\xe2\x80\x99s Maximum Tolerable Downtime for the\nnetwork as required by NIST SP 800-34, Revision 1, Contingency Planning Guide for\nFederal Information Systems.\n\nRecommendation 14. As required by National Institute of Standards and Technology\n(NIST) Special Publications (SP) 800-34, Revision 1, Contingency Planning Guide for\nFederal Information Systems, and SP 800-53, Revision 3, Recommended Security\nControls for Federal Information Systems and Organizations, we recommend that the\nBureau of Information Resource Management, Office of Information Assurance, in\ncoordination with the bureaus and system owners, take the following actions:\n\n       \xef\x82\xb7\t Document and maintain alternate site locations and procedures for\n          accessing an alternate site.\n\n       \xef\x82\xb7\t Develop and maintain contingency plans for all major applications and\n          general support systems.\n\n       \xef\x82\xb7\t Maintain and update recovery and restoration procedures for all\n          applications and general support systems.\n\nRecommendation 15. As required by National Institute of Standards and Technology\n(NIST) Special Publications (SP) 800-34, Revision 1, Contingency Planning Guide for\n                                               38\n                                      UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\nFederal Information Systems and SP 800-53, Revision 3, Recommended Security\nControls for Federal Information Systems and Organizations, we recommend that the\nChief Information Officer:\n\n       \xef\x82\xb7\t Revise the Information Resource Management/ Information Assurance\n          Contingency Plan Test Review checklist to address the following items:\n\n                  o\t Recovery and damage assessment procedures\n\n                  o\t Alternate recovery site details\n\n                  o\t Back-up procedures\n\n                  o\t Back-up test results for moderate- and high-impact systems\n\n       \xef\x82\xb7\t Revise the Contingency Plan Policy to include an organization-defined\n          frequency for backup testing.\n\n       \xef\x82\xb7\t Revise the Foreign Affairs Manual to require system owners to report to\n          IRM/IA on the test results and updates to the contingency plans.\n\nRecommendation 16. We recommend that the Chief Information Officer in\naccordance with the Foreign Affairs Manual (5 FAM 1065.3) and the National Institute\nof Standards and Technology Special Publication 800-47, Security Guide for\nInterconnecting Information Technology Systems, take the following actions:\n\n       \xef\x82\xb7\t Ensure that the contractor oversight program complies with Office of Management\n          and Budget, Federal Information Security Management Act, National Institute of\n          Standards and Technology, and the Foreign Affairs Manual security policies,\n          standards, and requirements for managing Contractor Owned Contractor Operated\n          (COCO) systems; specifically, all security-related documentation for such systems\n          should be retained.\n\n       \xef\x82\xb7\t Implement a COCO system security program whereby COCOs are overseen by the\n          Bureau of Information Resource Management/ Information Assurance.\n\nRecommendation 17. We recommend that the Bureau of Diplomatic Security develop\nand implement new and enhanced security requirements to coordinate security\nactivities for tracking all extensions (that is, contractor sites, other Government\nagencies, and third-party vendors) to OpenNet and ClassNet as required by the Office\nof Management and Budget Memorandum M-11-33, FY 2011 Reporting Instructions\nfor the Federal Information Security Management Act and Agency Privacy\nManagement.\n\nRecommendation 18. We recommend that the Bureau of Diplomatic Security, in\ncoordination with the Bureau of Administration, establish procedures to identify the\ntotal number of contractors who have access to Department of State systems, as\n\n                                               39\n                                       UNCLASSIFIED\n\x0c                                     UNCLASSIFIED\n\n\nrequired by the Office of Management and Budget Memorandum M-11-33, FY 2011\nReporting Instructions for the Federal Information Security Management Act and\nAgency Privacy Management.\n\nRecommendation 19. We recommend that the Chief Information Officer, as required\nby Office of Management and Budget (OMB) Memorandum M-11-33, FY 2011\nReporting Instructions for the Federal Information Security Management Act and\nAgency Privacy Management, and OMB Circular No. A\xe2\x80\x9311, Preparation, Submission,\nand Execution of the Budget:\n\n      \xef\x82\xb7\t Ensure that the Bureau of Information Resource Management/ Business\n         Management and Planning track all obligations and expenditures for\n         information technology security investments.\n\n      \xef\x82\xb7\t Provide a summary of non-major investments that make up the information\n         technology-Infrastructure and other major investments.\n\n      \xef\x82\xb7\t Include the Unique Project Identifier in the Department of State\xe2\x80\x99s Plans of\n         Action and Milestones database.\n\n\n\n\n                                              40\n                                     UNCLASSIFIED\n\x0c                                          UNCLASSIFIED\n\n\n\n                  Appendix A. Objectives, Scope, and Methodology\n\n       In order to fulfill its responsibilities related to the Federal Information Security\nManagement Act (FISMA), the Office of Inspector General (OIG) contracted with Williams,\nAdley & Company, LLP (referred to as \xe2\x80\x9cwe\xe2\x80\x9d in this appendix), an independent public\naccountant, to evaluate the Department of State\xe2\x80\x99s information security program and practices to\ndetermine the effectiveness of such programs and practices for FY 2011.\n\n        FISMA requires each Federal agency to develop, document, and implement an agency-\nwide program to provide information security for the information systems that support the\noperations and assets of the agency, including those provided or managed by another agency or\ncontractor or another source. To ensure the adequacy and effectiveness of these controls,\nFISMA requires the agency inspector general or an independent external auditor to perform\nannual reviews of the information security program and to report those results to the Office of\nManagement and Budget (OMB) and the Department of Homeland Security (DHS). DHS uses\nthis data to assist in oversight responsibilities and to prepare its annual report to Congress\nregarding agency compliance with FISMA.\n\n       We performed the evaluation in accordance with Generally Accepted Government\nAuditing Standards (GAGAS), FISMA, OMB, and National Institute of Standards and\nTechnology (NIST) Special Publications (SP) guidance. GAGAS requires that we plan and\nperform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our\nfindings and conclusions based on our evaluation objectives. We and OIG believe that the\nevidence obtained provides a reasonable basis for our findings and conclusions based on our\nevaluation objectives.\n\n       We performed fieldwork from April through July 31, 2011. Our fieldwork was\ncompleted before OMB Memorandum M-11-33,1 FY 2011 Reporting Instructions for the\nFederal Information Security Management Act and Agency Privacy Management, dated\nSeptember 14, 2011, was issued. This memorandum provided instructions for FY 2011 reporting\nrequirements. We reviewed the memorandum and evaluated its impact on our results but\ndetermined that no changes were required to be made.\n\n\n\n\n1\n OMB Memorandum M-11-33, FY 2011 Reporting Instructions for the Federal Information Security Management\nAct and Agency Privacy Management, dated September 14, 2011.\n                                                    41\n                                          UNCLASSIFIED\n\x0c                                              UNCLASSIFIED\n\n                                                 DRAFT\n\n\n       We used the following laws, regulations, and policies to evaluate the adequacy of the\ncontrols in place at the Department:\n\n        \xef\x82\xb7    OMB Memorandums M-02-01, M-04-04, M-06-19, M-10-15, and M-11-33. 2\n        \xef\x82\xb7    Department policies and procedures such as 5 FAM and 12 FAM. 3\n        \xef\x82\xb7    Federal laws, regulations, and standards such as FISMA, OMB Circular A-130,\n             Appendix III,4 and OMB Circular No. A-11.5\n        \xef\x82\xb7    NIST Special Publications (SP), Federal Information Processing Standards (FIPS),\n             other applicable NIST publications, and industry best practices.\n\n      In our evaluation, we assessed the Department\xe2\x80\x99s information security program policies,\nprocedures, and processes in the following areas:\n\n        \xef\x82\xb7   Risk management framework (formerly Certification & Accreditation)\n\t\n        \xef\x82\xb7   Security configuration management \n\n        \xef\x82\xb7   Incident response and reporting \n\n        \xef\x82\xb7   Security training \n\n        \xef\x82\xb7   Plans of action and milestones (POA&M) \n\n        \xef\x82\xb7   Remote access\n\t\n        \xef\x82\xb7   Account and identity management \n\n        \xef\x82\xb7   Continuous monitoring \n\n        \xef\x82\xb7   Contingency planning \n\n        \xef\x82\xb7   Oversight of contractor systems\n\t\n        \xef\x82\xb7   Security architecture and capital planning \n\n\n        The evaluation covered the period of October 1, 2010, to September 30, 2011. During\nthe fieldwork, we took the following actions:\n\n    \xef\x82\xb7\t Determined the extent to which the Department\xe2\x80\x99s information security plans,\n       programs, and practices complied with FISMA requirements; applicable Federal laws,\n       regulations, and standards; relevant OMB Circular A-130, Appendix III, processes\n       and reporting requirements; and NIST and FIPS requirements.\n\n    \xef\x82\xb7\t Reviewed all relevant security programs and practices to report on the effectiveness of\n       the Department\xe2\x80\x99s agency-wide information security program in accordance with OMB\xe2\x80\x99s\n       annual FISMA reporting instructions. The evaluation approach addressed the reporting\n       instructions from OMB Memorandum M-11-33.\n\n\n2\n  OMB Memorandum 02-01, Guidance for Preparing and Submitting Security Plans of Action and Milestones;\n\nOMB Memorandum 04-04, E-Authentication Guidance for Federal Agencies; OMB Memorandum 06-19,\n\t\nReporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency \n\nInformation Technology Investments; OMB Memorandum 10-15, FY 2010 Reporting Instructions for the Federal \n\nInformation Security Management Act and Agency Privacy Management; and M-11-33, respectively. \n\n3\n  5 FAM, \xe2\x80\x9cInformation Management\xe2\x80\x9d and 12 FAM, \xe2\x80\x9cDiplomatic Security\xe2\x80\x9d. \n\n4\n  OMB Circular A-130 Revised Appendix III, \xe2\x80\x9cSecurity of Federal Automated Information Resources.\xe2\x80\x9d\n\t\n5\n  OMB Circular No. A\xe2\x80\x9311, Preparation, Submission, and Execution of the Budget. \n\n                                                         42\n                                              UNCLASSIFIED\n\x0c                                   UNCLASSIFIED\n\n                                      DRAFT\n\n\n\xef\x82\xb7\t Assessed programs for monitoring of security policy and program compliance and\n   responding to security events (that is, unauthorized changes detected by intrusion\n   detection systems).\n\n\xef\x82\xb7\t Performed testing of major systems at the discretion of OIG. We tested 30 systems\n   for our sample. (See Appendix I.).\n\n\xef\x82\xb7\t Assessed the adequacy of internal controls related to the areas reviewed. Control\n   deficiencies identified during the review are reported in the report.\n\n\xef\x82\xb7\t Evaluated the Department\xe2\x80\x99s remedial action taken to address the previously reported\n   Information Security Program control weaknesses identified in OIG\xe2\x80\x99s report Review of\n   Department of State Information Security Program (AUD/IT-11-07, Nov. 2010).\n\n\n\n\n                                           43\n                                   UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\n\n\n    Appendix B. Followup of Recommendations From the FY 2010 FISMA \n\n                                 Report\n\n       The evaluation team reviewed actions implemented by management to mitigate the\nfindings identified in the FY 2010 FISMA report. The current status of each of the\nrecommendations is as follows:\n\nRecommendation 1. We recommend that the Chief Information Officer verify the Federal\nInformation Security Management Act systems inventory list to the Information Technology\nAsset Baseline to ensure that all information technology systems are accurately accounted for.\n\n2011 Status: Closed. We reviewed the population of the FY 2010 fourth quarter FISMA\ninventory list and the population of the FY 2011 third quarter FISMA inventory list. We verified\nall changes between the two populations within ITAB. The list was accurate and complete.\n\nRecommendation 2. We recommend that the Chief Information Security Officer ensure that\nsystems operated by a contractor, including systems rated low cost and low impact, the security\nauthorization process, including completion of a risk assessment and implementation of\nnecessary security controls, and that security authorization packages are completed on a timely\nbasis.\n\n2011 Status: This recommendation is partially closed. The systems rated low cost and low\nimpact that are operated by contractors are websites hosted on foreign Internet Service\nProviders (ISPs). The Department cannot enforce FISMA/NIST requirements for websites hosted\non foreign ISPs, as FISMA and NIST are US law/standards. The evaluation found that security\nauthorization packages were not completed accurately and on a timely basis. It has become\nRecommendation 3 (Finding A) in the FY 2011 report.\n\nRecommendation 3. We recommend that the Chief Information Officer develop a process to\nperiodically update the resources recorded in the plans of action and milestones (POA&M) and\nthat it update, in the POA&Ms, those completion dates for corrective actions that have expired.\n\n2011 Status: This is open and a repeat recommendation from the FY 2010 report. It has become\nRecommendation 7 (Finding D) in the FY 2011 report\n\nRecommendation 4. We recommend that the Chief Information Officer, the Foreign Service\nInstitute, and the Bureau of Diplomatic Security implement methods to enforce the security\nawareness policy to suspend a user\xe2\x80\x99s access if the user has not taken the Cyber Security\nAwareness course within the required timeframe.\n\n2011 Status: This is open and a repeat recommendation from the FY 2010 report. It has\nbecome Recommendation 6 (Finding C) in the FY 2011report.\n\n\n\n\n                                               44\n                                       UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\nRecommendation 5. We recommend that the Chief Information Officer, the Foreign Service\nInstitute, and the Bureau of Diplomatic Security complete the Department of State\'s\ncorrective action plan (which involves Active Directory, security awareness completion data,\nand iPost) to enforce the security awareness policy to suspend a user\xe2\x80\x99s access if the Cyber\nSecurity Awareness course is not taken within the required timeframe.\n\n2011 Status: This is open and a repeat recommendation from the FY 2010 report. It has\nbecome Recommendation 6 (Finding C) in the FY 2011report.\n\nRecommendation 6. We recommend that the Chief Information Officer and the Bureau of\nDiplomatic Security define and identify personnel who have significant security\nresponsibilities and ensure that they receive the appropriate training. Also, the Student\nTraining Management System should be modified to capture other training systems, such as\nthose paid for by the Department of State, to meet continuing professional education\nrequirements.\n\n2011 Status: Closed. In the evaluation we were able to identify the titles of personnel who\nhave significant security responsibilities in the IA Training Plan.\n\nRecommendation 7. We recommend that the Chief Information Officer complete the end-to-\nend configuration management initiative, including implementation of the standard operating\nenvironment.\n\n2011 Status: This is open and a repeat recommendation from the FY 2010 report. It has\nbecome Recommendation 4 (Finding B) in the FY 2011 report.\n\nRecommendation 8. We recommend that the Chief Information Officer:\n\nInstall an NIST approved encryption algorithm that controls access to support controls access\nto OpenNet Everywhere (ONE), reconfigure the ONE session timeout setting to 20 minutes,\nretain remote access authorization forms to show supervisory approval, and document the\nnecessary risk assessment to determine the electronic authentication level for ONE.\n\n2011 Status: Closed. The evaluation assessed Global OpenNet (GO), the replacement for\nONE, and found the security controls were implemented in accordance with OMB and NIST.\nBased on the electronic process from the implementation of GO, we have determined that the\nelectronic authorization forms requires supervisory and executive director approval before\nthe remote access user receives a FOB key.\n\nRecommendation 9. We recommend that the Chief Information Officer enhance the Active\nDirectory account management automated tools to flag accounts that have not been used\nwithin the past 60 days and ensure that all accounts are configured with passwords that expire\nevery 60 days.\n\n2011 Status: This is open and a repeat recommendation from the FY 2010 report. It has\nbecome Recommendation 8 (Finding E) in the FY 2011 report.\n\nRecommendation 10. We recommend that the Chief Information Officer ensure that\n                                               45\n                                       UNCLASSIFIED\n\x0c                                         UNCLASSIFIED\n\n\nprogram managers and office managers annually review access privileges of users under their\nsupervision so that the number of guest, test, and temporary accounts and accounts that have\nnot been used is reduced.\n\n2011 Status: This is open and a repeat recommendation from the FY 2010 report. It has\nbecome Recommendation 8 (Finding E) in the FY 2011 report.\n\nRecommendation 11. We recommend that the Bureau of Diplomatic Security implement\nproper staff awareness through training and have shift supervisors, as part of the shift change\nprocedures, ensure that personally identifiable information data incidents are reported to the\nU.S. Computer Emergency Response Team within the required 1-hour timeframe.\n\n2011 Status: Closed. The evaluation found that Diplomatic Security ensures that personally\nidentifiable information data incidents are reported to US CERT within the required 1-hour\ntimeframe.\n\nRecommendation 12. We recommend that the Chief Information Officer include, under its\ncontinuous monitoring program scanning results for databases, firewalls, routers, and switches\nand include the results in the Risk Scoring Program dashboard.\n\n2011 Status: This is open and a repeat recommendation from the FY 2010 report. It has\nbecome Recommendation 11 (Finding G) in the FY 2011 report.\n\nRecommendation 13. We recommend that the Chief Information Officer identify the\nsecondary site for the State Messaging and Archive Retrieval Toolset (SMART) system and\ncomplete development of the SMART\xe2\x80\x99s system contingency plan.\n\n2011 Status: This is open and a repeat recommendation from the FY 2010 report. It has\nbecome Recommendation 14 (Finding I) in the FY 2011 report.\n\nRecommendation 14. We recommend that the Bureau of Administration review all relevant\ninformation technology and professional services contracts to ensure that they contain the\nrequired Department of State Acquisition Regulations information security clauses.\n\n2011 Status: Closed.\n\nRecommendation 15. We recommend that the Bureau of Diplomatic Security, in coordination\nwith the Bureau of Administration, establish procedures to identify the total number of contractors\nwho have access to Department of State systems.\n\n2011 Status: This is open and a repeat recommendation from the FY 2010 report. It has\nbecome Recommendation 18 (Finding J) in the FY 2011 report.\n\n\n\n\n                                                  46\n                                         UNCLASSIFIED\n\x0c                                               UNCLASSIFIED\n\n\n             Appendix C. Systems With Invalid Authority To Operate\n        As part of the security authorization testing, we requested the most recent authorities to\noperate (ATOs) for the sample of 30 systems. The ATO is the final security authorization\ndecision from the designated authorizing official to the information system. Per National\nInstitute of Standards and Technology Special Publication 800-37,1 the authorization decision\ndocument contains the following information: authorization decision, terms and conditions for\nthe authorization, and authorization termination date.\n\n                          Table 1. Systems With Invalid Authority To Operate\n\n                  Bureau           Name           Package         Type              FIPS\n                   Name                             No.                         Categorization\n                    EUR         EXTRANET           1140         UNCL                     L\n\n                     IO            USEVI           2412         UNCL                     L\n\n                    IRM             TEDS            593           CL                     H\n\n                    IRM           WINAD             633         UNCL                     M\n\n                    IRM             TDS             719           CL                     H\n\n                    IRM          WebPASS            744         UNCL                     M\n\n                    IRM          SMART-C           2744           CL                     H\n\n                      L            IDMAS            647         UNCL                     H\n\n                    IRM           OpenNet           633         UNCL                     M\n\n                    IRM           ClassNet          631           CL                     H\n\n                   Legend\n                    Bureaus                                            System Classification and\n                                                                       Categorization\n                    EUR-Bureau of European Affairs                     CL- Classified Network\n                    IO-Bureau of International Organization Affairs    UNCL- Unclassified Network\n                    IRM- Bureau of Information Resource Management     H- High Impact\n                    L- Office of the Legal Advisor                     M- Moderate Impact\n\n\n\n\n1\n NIST SP 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems, Feb\n2010\n                                                   47\n                                               UNCLASSIFIED\n\x0c                                          UNCLASSIFIED\n\n\n         Appendix D. Systems With Outdated Security Baseline Controls\n       In the evaluation, we assessed a sample of 30 systems (see Appendix I) to determine\nwhether the systems were in compliance with National Institute of Standards and Technology\n(NIST) Special Publication (SP) 800-53 Revision 3, Recommended Security Controls for\nInformation Systems (August 2009) (last updated May 1, 2010). NIST SP 800-53 Revision 3\nprovides guidelines for selecting and specifying security controls (management, operational, and\ntechnical) for information systems supporting the executive agencies of the Federal Government\nto meet the requirements of FIPS 200, Minimum Security Requirements for Federal Information\nand Information Systems.\n\n       Table 1 lists the systems for which security controls have not been updated to comply\nwith NIST SP 800-53 Revision 3.1\n            Table 1. Systems With Outdated Security Baseline Controls\n\n    Sample #     Bureau         Name         Package       Type          FIPS           Compliance\n                 Name                          No.                   Categorization       (Y/N)\n       1           A            ILMS          830        UNCL             M                 N\n\n       2           CA          IVAMS           97        UNCL               M                 N\n\n       3           CA            FEP           344       UNCL               M                 N\n\n       4           CA          PLOTS           346       UNCL               M                 N\n\n       5           CA          CLASS           558       UNCL               H                 N\n\n       6           CA            MIS           724       UNCL               M                 N\n\n       7           CA           OPSS           898       UNCL               M                 N\n\n       8           CA           PLMS          4547       UNCL               M                 N\n\n       9            DS           CMS           424       UNCL               M                 N\n\n       10           DS         SIMAS           798       UNCL               M                 N\n\n       11           DS          IDMS          1000       UNCL               M                 N\n\n       12          EUR       EXTRANE          1140       UNCL               L                 N\n                                T\n\n\n1\n  OMB Memorandum M-11-33 FY 2011 FAQs states that agencies are expected to be in compliance with NIST\nstandards and guidelines within one year of the publication date unless otherwise directed by OMB.\n                                                          48\n                                          UNCLASSIFIED\n\x0c                                                  UNCLASSIFIED\n\n\n\n  13               HR                 GTS              843           UNCL                    M                      N\n\n  14               IIP           CMS (IIP)             600           UNCL                    L                      N\n\n  15                IO              USEVI             2412           UNCL                    L                      N\n\n  16              IRM              WINAD               633           UNCL                    M                      N\n\n  17              IRM            OPENNET               634           UNCL                    M                      N\n                                 (Transport)\n  18              IRM               TDS                719             CL                    H                      N\n\n  19              IRM            WebPASS               744           UNCL                    M                      N\n\n  20              IRM              SMART -            2743           UNCL                    M                      N\n                                     SBU\n  21              IRM               EDW               2747           UNCL                    M                      N\n\n  22                 L             IDMAS               647           UNCL                    H                      N\n\n  23             M/PRI                eCC              966           UNCL                    M                      N\n\n  24              MED               eMED               299           UNCL                    M                      N\n\n\nLegend\n                                                        Bureaus\n\n A \xe2\x80\x93 Bureau of Administration                         IO-Bureau of International Organization Affairs\n CA \xe2\x80\x93 Bureau of Consular Affairs                      IRM- Bureau of Information Resource Management\n DS \xe2\x80\x93 Bureau of Diplomatic Security                   L- Office of the Legal Advisor\n EUR - Bureau of European Affairs                     M/PRI \xe2\x80\x93 Office of Management Policy, Rightsizing and Innovation\n HR \xe2\x80\x93 Bureau of Human Resources                       MED \xe2\x80\x93 Office of Medical Services\n IIP \xe2\x80\x93 Office of International Information Programs\n                                      System Classification and Categorization\n\n                  Classification                                              Categorization\n CL- Classified Network                               H- High Impact\n UNCL- Unclassified Network                           M- Moderate Impact\n                                                      L \xe2\x80\x93 Low Impact\n\n\n\n\n                                                             49\n                                                  UNCLASSIFIED\n\x0c                                              UNCLASSIFIED\n\n\n                            Appendix E. Vulnerability Assessment\n        As part of the evaluation, we requested that the Bureau of Diplomatic Security, Security\nInfrastructure Directorate, Office of Computer Security (DS/SI/CS), execute vulnerability scans\non a sample of 16 systems during the period August 1 to September 1, 2011. A total of 472\nhosts1 from the 16 systems were active and tested. DS/SI/CS is responsible for performing\nvulnerability scans on the Department\xe2\x80\x99s systems as part of its security assessment duties. As part\nof the Department\xe2\x80\x99s continuous monitoring program, DS stores the vulnerability scans in a\ndatabase for iPost. iPost subsequently retrieves the vulnerability scan results and analyzes the\nresults for the risk scoring program. For the systems tested, we reviewed the vulnerability scan\nconfigurations, analyzed the results, and summarized the results. The weaknesses we identified\nare summarized as follows:\n\n             A. Systems, operating systems, and applications with critical system and security\n                patches which had not been applied.\n             B. Systems that did not meet the standards set forth in the System Configuration\n                Policy and Procedures.\n             C. Systems that allowed access to system resources via anonymous logins and\n                passwords, default credentials, and unsecured access points.\n\n        The risk ratings are defined as follows:\n\n        \xef\x82\xb7\t High Risk - Exploitation of the vulnerability discovered on the system can directly\n           lead to an attacker gaining privileged access (for example, an administrator or a, root\n           accounts) to the machine over a remote connection. Examples are: IIS Remote Data\n           Services, remote procedure call automount daemon (RPC Automountd).\n        \xef\x82\xb7\t Medium Risk - The vulnerability discovered on the system can lead directly to an\n           attacker gaining non-privileged access (for example, standard user) to the machine\n           over a remote connection. Examples are: Coldfusion viewexample.cfm and, Open\n           and accessible NetBIOS ports.\n        \xef\x82\xb7\t Low Risk - The vulnerability discovered on the system provides enticement data to\n           the attacker that may be used to launch a more informed attack against the target\n           environment. In addition, the vulnerability may indirectly lead to an attacker\xe2\x80\x99s\n           gaining some form of access to the machine over a remote connection.\n\n\n\n\n1\n  A host is computer that is connected to a Transmission Control Protocol/Internet Protocol (TCP/IP) network,\nincluding the Internet. Each host had a unique IP address.\n\n                                                        50\n                                              UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\nA. Vulnerabilities and Unpatched Systems\n\n       For the 16 systems tested, the total number of high, medium, and low risk\nvulnerabilities identified during vulnerability analyses are shown in Table 1.\n\n                       Table 1. Host Vulnerabilities By Risk Rating\n\nNo.   System Name       Active Hosts       Number of High      Number of            Number of\n                       (Number of IP           Risk           Medium Risk            Low Risk\n                         Addresses)        Vulnerabilities    Vulnerabilities      Vulnerabilities\n 1        FEP                6/6                214                269                   45\n 2      IAVMS              11/13                237                265                   58\n 3       OPSS                4/9                 87                143                   28\n 4      PLOTS                2/2                 25                 58                    9\n 5        FSA               9/13                175                203                  56\n 6       EDW                 9/9                153                269                  56\n 7     WebPASS              2/11                 27                 40                   14\n 8       EMED                7/9                228                300                   48\n 9      CLASS              12/12                 71                315                  75\n10       ILMS             163/512              3,193              2,818                 702\n11        MIS                4/4                 93                125                  28\n12       PLMS              10/10                313                454                   75\n13       IPMS             182/258              2,274              4,870                1,265\n14     OPENNET             10/10                175                390                  103\n15      WINAD              10/10                  9                 36                   9\n16     Smart-SBU           31/59               1,246              1,099                 229\n      TOTAL               472/947              8,520             11,654                2,800\n\n\n\n\n                                               51\n                                       UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n       For the 16 systems tested, the total number of patches that were not installed on\nthe hosts, by system, are shown in Table 2.\n                (b) (5)\n\n\n\n\n       For the 16 systems tested, we performed an analysis of the Common Vulnerabilities and\nExposures (CVEs) and risk ratings. CVE is a dictionary of publicly known information security\nvulnerabilities and exposures. The number of weaknesses identified are shown in Table 3, and\nthe number of vulnerabilities are shown in Table 4.\n\nTable 3. Number of Vulnerabilities Identified by CVE and Risk Rating\n                          CVE ID No.   Risk Rating        Number of\n                                                         Vulnerabilities\n                                                           Identified\n                          CVE-2008       High                 613\n                          CVE-2008      Medium               1,559\n                          CVE-2009       High                1,109\n                          CVE-2009      Medium               1,466\n                          CVE-2010       High                1,529\n                          CVE-2010      Medium               1,797\n                          CVE-2011       High                3,002\n                          CVE-2011      Medium               1,261\n\n\n\n\n                                                 52\n                                       UNCLASSIFIED\n\x0c                                                 UNCLASSIFIED\n\n\n\n                        Table 4. Total Number of Vulnerabilities by CVE and Year\n\n\n\n\n          B. Security Configuration Compliance\n\n             We also compared a sample of mandatory DS configuration settings with what is being\n          checked and identified the weaknesses shown in Table 5.\n(b) (5)\n\n\n\n\n                                                       53\n\t\n                                                 UNCLASSIFIED\n\x0c                                               UNCLASSIFIED\n\n\n      SMART-SBU         Windows File Permissions for   For file: %systemdrive%\\AUTOEXEC.BAT The following\n                        file:                          accounts should have the specified permissions: Account\n      MSSMTPDFBE01      %systemdrive%\\AUTOEXEC         Sid = S-1-5-32-544; name = Administrators; permissions =\n                        .BAT                           XRQNWATBUDEPO(full) Account Sid = S-1-5-18; name\n                                                       = System; permissions = XRQNWATBUDEPO(full)\n                                                       Account Sid = S-1-5-32-545; name = Users; permissions =\n                                                       XRQNE(read and execute) No other accounts should have\n                                                       any rights.\n\n\n      C. Anonymous Logins and Passwords\n\n               Although the logical access weaknesses identified in Table 6 are not categorized as high\n      risk, the default passwords were not in accordance with FAM policies.\n(b) (5)\n\n\n\n\n                                                        54\n                                               UNCLASSIFIED\n\x0c                                                  UNCLASSIFIED\n\n\n              Appendix F. Systems Without Annual Backup Plan Testing\n       As part of the contingency plan testing, we requested annual backup test results for the\nsample of 25 systems. According to Department of State officials, each system owner is\nresponsible for testing the backup media to verify media reliability and information integrity.\n\n        The systems for which system owners did not provide documentation of annual backup\ntests are shown in Table 1.\n\n\n                       Table 1. Systems Without Annual Backup Plan Testing\n\n\n                                                 Package                              FIPS         Annual Backup\nSample #          Bureau           Name            No.             Type           Categorization      Testing\n   1                 A             ILMS            830             UNCL                M                N\n   2                 A            S-ILMS          2716              CL                 H                N\n   3                CA            IVAMS             97             UNCL                M                N\n   4                CA              FEP            344             UNCL                M                N\n   5                CA            PLOTS            346             UNCL                M                N\n   6                CA             PLMS           4547             UNCL                M                N\n   7                CA              MIS            724             UNCL                M                N\n   8                DS              CMS            424             UNCL                M                N\n   9                HR              GTS            843             UNCL                M                N\n  10               IRM              TDS            719              CL                 H                N\n  11               IRM           WebPASS           744             UNCL                M                N\n  12               IRM           SMART -          2743             UNCL                M                N\n                                    SBU\n   13              IRM           SMART-             2744              CL                  H             N\n                                     C\n   14               L             IDMAS             647            UNCL                   H             N\n   15              MED             eMED             299            UNCL                   M             N\n\n Legend\n                                          Bureaus\n\n   A \xe2\x80\x93 Bureau of Administration          IRM- Bureau of Information Resource Management\n   CA \xe2\x80\x93 Bureau of Consular Affairs       L- Office of the Legal Advisor\n   DS \xe2\x80\x93 Bureau of Diplomatic Security    MED \xe2\x80\x93 Office of Medical Services\n   HR \xe2\x80\x93 Bureau of Human Resources\n                           System Classification and Categorization\n\n              Classification                              Categorization\n   CL- Classified Network                H- High Impact\n   UNCL- Unclassified Network            M- Moderate Impact\n\n\n\n\n                                                              55\n                                                  UNCLASSIFIED\n\x0c                                     UNCLASSIFIED\n\n\n                 Appendix G. Servers Without Critical Patches\n\n     The 17 servers that did not have critical patches installed are shown in Table 1.\n(b) (5)\n\n\n\n\n                                              56\n\t\n                                     UNCLASSIFIED\n\x0c                                           UNCLASSIFIED\n\n\n\n    Appendix H. Summary of Department of State Continuous Monitoring\n               Controls Compliance With Federal Guidance\n       Deficiencies noted in the Department of State\xe2\x80\x99s continuous monitoring controls\nin accordance with Office of Management and Budget Memorandum M-11-33, FY\n2011 Reporting Instructions for the Federal Information Security Management Act and\nAgency Privacy Management, dated September 14, 2011, and National Institute of\nStandards and Technology Special Publication 800-37, Guide for Applying the Risk\nManagement Framework to Federal Information Systems, Revision 1, dated February\n2010, are shown in Table 1.\n      Table 1. Analysis of Continuous Monitoring Compliance With Federal\nGuidance\n\nRegulation Source   Continuous Monitoring           Implemented   Comment\n                    Components\nOMB                                                 Partially     Control deficiencies were noted in the\nMemorandum 11-      Continuous monitoring           Implemented   following sections:\n33                  programs and strategies\n                    should address:                                   \xef\x82\xb7   Risk Management (Finding\n                    (i) the effectiveness of                              A)\n                    deployed security controls;                       \xef\x82\xb7   Configuration Management\n                                                                          (Finding B)\n                                                                      \xef\x82\xb7   Plans of Actions and\n                                                                          Milestones (Finding D)\n\nOMB                 (ii) changes to information     Partially     Several control deficiencies were\nMemorandum 11-      systems and the                 Implemented   noted in configuration management.\n33                  environments in which those                   (Finding B)\n                    systems operate; and.\n\n\n\n\nOMB                 (iii) compliance to federal     Partially     Based upon the control deficiencies\nMemorandum 11-      legislation, directives,        Implemented   identified in this report, the\n33                  policies, standards, and                      Department is not in compliance with\n                    guidance with regard to                       FISMA regulations.\n                    information security and risk\n                    management. Agencies will\n                    be required to report the\n                    security state of their\n                    information systems and\n                    results of their ongoing\n                    authorizations through\n                    CyberScope in accordance\n                    with the data feeds defined\n                    by DHS.\n\n\n\n\n                                                    57\n                                           UNCLASSIFIED\n\x0c                                          UNCLASSIFIED\n\n\n                 Configuration management       Partially     Several control deficiencies were\n                 and control processes for      Implemented   noted in configuration management.\nNIST SP 800-37   organizational information                   (Finding B)\n                 systems\n\n\n\n\n                                                Implemented   No findings noted.\n                 To assess the Security\n                 Impact Changes\n                 To assess the subset of        Partially     Three systems [Content Management\n                 management, technical, and     Implemented   System (CMS), WebPASS, and\n                 operational controls                         SMART-C] did not have an annual\n                                                              assessment of security controls\n                                                              performed as part of its continuous\n                                                              monitoring of annual controls.\n                                                              (Finding A)\n\n                 Security status reporting to   Partially     The Department\xe2\x80\x99s Plans of Action\n                 appropriate organizational     Implemented   and Milestones (POA&M) process is\n                 officials                                    not fully and effectively implemented\n                                                              and the program is not compliant with\n                                                              FISMA and OMB requirements.\n\n                                                              The Department has not implemented\n                                                              a POA&M process to address and\nNIST SP 800-37\n                                                              resolve security weaknesses identified\n                                                              on ClassNet GSS.\n\n                                                              In addition, the evaluation found the\n                                                              Department has not implemented\n                                                              effective corrective actions to address\n                                                              the POA&M control weaknesses\n                                                              within the OpenNet GSS identified in\n                                                              the FY 2010 report Review of the\n                                                              Information Security Program at the\n                                                              Department of State. (Finding D)\n                 Active involvement by          Partially     For authority to operate (ATO),\n                 authorizing officials in the   Implemented   which provides proof that an\n                 ongoing management of                        authorizing official approved a\n                 information system-related                   system to operate, the evaluation\n                 security risks.                              found that nine of 30 systems tested\n                                                              did not have a full security\n                                                              assessment and authorization\n                                                              performed. (Finding A)\n\n\n\n\n                                                58\n                                          UNCLASSIFIED\n\x0c                                      UNCLASSIFIED\n\n\n Appendix I. Sample Selection of Information Systems Listed in Information \n\n          Technology Asset Baseline Used for FY 2011 Evaluation \n\n      The sample selection described in the title of this appendix is shown as follows:\n\n         Name                 Acronym                Bureau               Classification   Categorization\n\nIntegrated Logistics           ILMS        Bureau of Administration       Unclassified       Moderate\nManagement System\nSecure-Integrated             S-ILMS       Bureau of Administration        Classified          High\nLogistics Management\nSystem\nImmigrant Visa Allocation     IVAMS        Bureau of Consular Affairs     Unclassified       Moderate\nManagement System\nFront End Processor            FEP         Bureau of Consular Affairs     Unclassified       Moderate\nPassport Lookout              PLOTS        Bureau of Consular Affairs     Unclassified       Moderate\nTracking System\nConsular Lookout &            CLASS        Bureau of Consular Affairs     Unclassified         High\nSupport System\nManagement Information          MIS        Bureau of Consular Affairs     Unclassified       Moderate\nSystem\nOnline Passport Status         OPSS        Bureau of Consular Affairs     Unclassified       Moderate\nService\nPassport Lockbox               PLMS        Bureau of Consular Affairs     Unclassified       Moderate\nManifest Search\nCase Management System          CMS   Bureau of Diplomatic                Unclassified       Moderate\n                                      Security\nSecurity Incident            SIMAS    Bureau of Diplomatic                Unclassified       Moderate\nManagement and Analysis               Security\nIdentity Management           IDMS    Bureau of Diplomatic                Unclassified       Moderate\nSystem                                Security\nFSA Eurasia Database           FSA    Bureau of Educational and           Unclassified       Moderate\n                                      Cultural Affairs\nextranet.usembassy.it      EXTRANET Bureau of European and                Unclassified         Low\n                                      Eurasian Affairs\nGateway to State               GTS    Bureau of Human                     Unclassified       Moderate\n                                      Resources\nIntegrated Personnel          IPMS    Bureau of Human                     Unclassified       Moderate\nManagement System                     Resources\nContent Management          CMS (IIP) Bureau of International             Unclassified         Low\nSystem                                Information Programs\nUnited States Embassy        USEVI    Bureau of International             Unclassified         Low\nVienna Internet website               Organizations\nCOMSEC Accounting            CARDS    Bureau of Information                Classified        Moderate\nReporting and Distribution            Resource Management\n                                              59\n                                      UNCLASSIFIED\n\x0c                                   UNCLASSIFIED\n\n\n\nSystem\nTelegram Distribution       TEDS      Bureau of Information         Classified     High\nSystem                                Resource Management\nWindows Active             WINAD      Bureau of Information        Unclassified   Moderate\nDirectory                             Resource Management\nOpenNet Plus Transport     OPENNET    Bureau of Information        Unclassified   Moderate\nGSS                                   Resource Management\nTelegram Delivery System     TDS      Bureau of Information         Classified     High\n                                      Resource Management\nWeb Post Administrative    WebPASS    Bureau of Information        Unclassified   Moderate\nSoftware Suite Explorer               Resource Management\nSMART Core Messaging-      SMART -    Bureau of Information        Unclassified   Moderate\nUnclassified                 SBU      Resource Management\nSMART Core Messaging-      SMART-C    Bureau of Information         Classified     High\nClassified                            Resource Management\nEnterprise Data             EDW       Bureau of Information        Unclassified   Moderate\nWarehouse                             Resource Management\nIntegrated Document         IDMAS     Office of the Legal          Unclassified    High\nManagement & Analysis                 Advisor\nSystem\neCountryClearance            eCC      Office of Management         Unclassified   Moderate\n                                      Policy, Rightsizing and\n                                      Innovation\nElectronic Medical          eMED      Office of Medical Services   Unclassified   Moderate\nRecords System\n\n\n\n\n                                        60\n                                   UNCLASSIFIED\n\x0c                               UNCLASSIFIED\n\n\n\n           Appendix J. Department of State Response\n\n\n\n\n                                                      United States Department or Stale\n\n                                                      Clrj~/In/ormatjon Offiur\n                                                      Information Rt!Sollt\'U Manug~~nt\n\n                                                      Washington, D.C 10511}.6) II\n\n                                                  November 2,2011\n\nUN L A IFIED\nMEM ORANDUM\n\nTO:         OIG - Mr. Harold W. Geisel\n\nFROM:       IRM - Susan H. Swart   .,,\xc2\xa3J\nSU BJ ECT: Departme nt Response to Draft Report on Evaluation of Department of\n           State Information Security Program\n\nREF:        OIG Me mo Dated Oct. 26, 20 11 Subject: Draft Report on Eval uation\n            of De partment of State Information Security Program\n\nThank you for the opportunity to provide comments on the draft ""Report on\nEvaluation of Department of State Inrormation Security Program Report for 2011"\n(010 FISMA report). Our response to the annual 0 10 FISMA report is attached\nand was coordinated with the Bureau of Diplomatic Security, Bureau of\nAdminist ration, Bureau of Human Resources, and the Foreign Service Inst itute.\nPlease consider this a consolidated reply to you r request.\n\n\n\n\n                                 UNCLASS IFIEP\n\n\n\n\n                                           61\n\t\n                               UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\n\n\n\n                                           UNCLASSIFIED\n\n\n\n\n                Department Response to Draft Report on\n     Evaluation of Department of State Infonnation Security Program\nBefore addressing individual recommendations, the Department would like to provide a few\noverview secti ons to addre~s scveral th emes thai run thru this year\'s OIG I\'ISM A report _\n\n1) Use of Continuous monitoring to repla{\'(\' traditional Certification and Author;ution:\nThe FISMA FY20 11 reporting instructions (OMB mcmorandum 11-33) explicitly offer the\nExecutive Departments and Agcncies th e authority to substitute an appropriate risk-based\ncontinuous monitoring program in lieu of the formerly required reauthori zations that had\npreviously been required evcry three yeaTS _ In relevant part, the instructions state:\n\n         Is a 8N:urity n-anthorization still rt<lnir\'ed eWI\xc2\xb7y three yearll 01\xc2\xb7 when an informati()n\n         SYlItrm has undr rgone significant change as stated in OMR Circular A-130? No _ Rathcr\n         than enforoing a static, three-year reauthorization process, agencies are expected to conduct\n         ongoing authorization. of information \'Y"t~m. through th~ impkm(;ntation of (;ontinuou.\n         moni toring programs ... Continuous monitoring programs thus fulfill th(; thllOe-ycar so;c urity\n         reauthorization requirement, so a sqmrat(; re-authorization process is not neoessary_ 1\n\nThe Department chose to implement OMD"s guidance and instructions and base ongoing\nreauthorization of the Department\'s networks (not applications) on continuous monitoring. TIle\nOIG doe~ not concur with the Department \xc2\xb7s acceptance of this risk. and the FlSM A reporting\ninstructions provide instructions for addressing such disagreements_ In re levant part, the\ninstructions state:\n\n         Who is responsihle for deciding the acceptahle level of risk (e.g., the C\'O, pl"Ogmm\n         officials and system owners, 01\xc2\xb7 the IG)? What if they (The CIO and th e OIGI\n         disagree? The agenci head ultimately is responsible for decidin g the acceptable level of\n         risk for their agency_\n\n2) Compliance ,"s. Risk_nased Anahsis: Under th e FISMA FY20 II reporting instructions,\nboth the Department and the OIG are required to take a risk-based approach. Applying this\nprinciple, compli.Ulce of guide line~ ~ho uld only be perfoillled when the ri~k of non-compliance      i~\nassessed_ Moreover, simple compliance may not he enough to address risk _\n\n\'the report f\'lUl ~ the Department\'~ ri~k scoring program bec\'lU~e it does not currentl y include\nrouters and switches. However, th e Department did scan its routers and switches to assess\nvulnerabilities) and fOWld a risk score of 7,476 points assoc iated with routers and switches\ncomparoo to a ~core of 160,000,000 aCTO~S all device~ originally sca]Uled in 2008. "Ihe\nvulnerabi lities posed by routers and switches represent less than 0.005% of total vulnerabilities.\n\n\'OMB M-1l-33. FAQ28.\n\' OM6 M-1l-33, FAQ 1$.\n, CVEs\n\n                                           UNC LASS IFIED\n\n\n\n\n                                                    62\n\t\n                                        UNCLASSIFIED\n\n\x0c                                           UNCLASSIFIED\n\n\n\n\n\n                                               UNCLASSIFIED\n                                                         2\n\nIf the height of the Washington Monument 4 represented all the risk scored by State\'s\nVulnerability Scanner in iPost as of the summer of2008, the amount represented by the\nvulnerabilities on routers and switches today is less than 0.34 inches. While that 0.34 inches is a\nrisk, it is minuscule compared to the metaphorically equivalent of 555 feet of original risk.\n\nApplying the risk-based principles, the Department fully intends to perform a risk-based analysis\nand prioritize the OIG findings and address the corresponding recommendations accordingly.\nThe Department, again applying the risk-based approach, is obligated to address higher risk\nissues before addressing OIG findings and recommendations.\n\n3) Completeness vs. Timeliness: The traditional FISMA three-year reauthorization process\nfocuses on "completeness" oftesting and remediation, largely ignoring timeliness. Likewise,\nthis report focuses on the completeness of the Department\'s continuous monitoring program,\nimplying the program is inadequate and ineffective if it is not 100% complete.\n\nA current Massachusetts Institute of Technology (MIT) Lincoln Labs study quantifies the\ntradeoff between completeness and timeliness in reducing security risk on a network. The study\nshows that a regimen of complete testing annually5 is only as effective at reducing risk as testing\n17% of controls every 2 months. 6 Because the Department\'s continuous monitoring program is\nboth 3-4 times more complete and 20 times timelier than the second case above 7, one can\nreasonably conclude it is more effective than a complete but slow process such as the traditional\nFISMA three-year authorization process. Timeliness is important because it is commensurate\nwith those who attack our networks - at Internet speed. To prevent attacks, we must be faster at\nremoving weaknesses than they are at exploiting them.\n\nThe Department has worked tirelessly to increase the timeliness of detection and remediation of\nthe highest priority weaknesses, which is consistent with both the principles of continuous\nmonitoring and a risk-based approach.\n\n4) Accuracy of Findings: In many cases, the Department found the OIG findings significantly\noverstate the quantitative size of problems. As a result, the Department\'s management responses\nstate we must first accurately assess the size and nature of the assumed problem, before\nprioritizing and selecting a management approach.\n\nOne example of inaccuracy is located in section E of the draft OIG report. In this section, the\nOIG documented account types requiring a business justification. However, the OIG did not\nprovide evidence that such a justification was missing. The Department evaluated a small\nscientifically valid sample of the aforementioned accounts and checked them for a business\n\n\n\' According to the National Park Service, http://www.nps.gov!wamo!index.htm. the Washington Monument is 555\nfeet and 51/8 inches tall.\n\' This is more timely than complete testing of all 800-53 controls every three years, as formerly required by FISMA,\nand which we assume the DIG would accept as compliant.\n\xe2\x80\xa2 This example is based on several assumptions that do apply to State. However they are not addressed here to\nmake this description suitably concise. The Department would be happy to rev iew this study with the auditors.\n, And 300 times more timely than meeting the former FISMA requirements.\n\n\n\n\n                                                        63\n\t\n                                           UNCLASSIFIED\n\n\x0c                                              UNCLASSIFIED\n\n\n\n\n\n                                                  UNCLASSIFIED\n                                                       3\n\njustification. The vast majority had a valid business justification. As such, the OIG draft report\noverstates the extent of the problem by 380% on one network, and by 1,100% on another.\n\n5) Conclusions: The Department disagrees with the OIG on whether continuous monitoring, as\ncurrently conducted, produces lower risk than a traditional C&A program, and on the relative\nimportance of completeness and compliance vs. timeliness and risk-based prioritization. Having\ncarefully considered these factors, the Department is convinced its continuous monitoring\nprogram, which is 300 times more timely than traditional three-year reauthorizations, produces\n                                 8\nsignificantly lower security risk on its networks.\n\n6) Management Responses to Recommendations: The remainder of this response provides\nspecific management responses to each of the draft OIG recommendations in the context of the\noverall comments provided above.\n\nRecommendation 1: {Section A} We recommend that the Information Security Steering\nCommittee (ISSC) meet on a monthly basis to fulfill its purpose and responsibilities as required\nin IS SC charter.\n\n       Department Response to Recommendation 1:\n\n               The Department does not agree that the lack of meetings poses any material risk to the\n               security of the Department. Moreover, there is no requirement that this voluntarily\n               created internal group meet with recurring frequency. The Department exercised its valid\n               authoritl to conclude there was no need to meet and believes there is no basis for OIG to\n               substitute its own judgment. The ISSC chairpersons will survey the ISSC membership on\n               reasons to meet, and conduct meetings accordingly.\n\nRecommendation 2: {Section A} We recommend that the Information Security Steering\nCommittee improve its risk management strategy at the organizational level for assessing,\nresponding to, and monitoring information security risk as required in the Foreign Affairs\nManual and the National Institute of Standards and Technology Special Publication 800-39.\n\n       Department Response to Recommendation 2:\n\n               The Department agrees that some increased level of documentation in this area could be\n               beneficial. The Department notes that under the OMB instructions guidance, it is the\n               Department\'s judgment that shall decide how much documentation is needed to reduce\n               risk. 10 The Department\'s Designated Authorizing Authority (DAA) will determine the\n               level of documentation adequate to manage risk.\n\n\n\n\n8   Neither produce zero risk, and achieving zero risk is not foreseeable.\n9   0MB M-1l-33\nlOOp.   cit.\n\n\n\n\n                                                           64\n\t\n                                              UNCLASSIFIED\n\n\x0c                                           UNCLASSIFIED\n\n\n\n\n\n                                               UNCLASSIFIED\n                                                         4\n\nRecommendation 3: {Section A} We recommend that the Chief Information Officer:\n   \xe2\x80\xa2 Improve oversight of the security assessment and authorization process for the\n     Department\'s information systems, especially the OpenNet General Support System\n     (GSS) and ClassNet GSS as required by the National Institute of Standards and\n     Technology (NIST) (SP) 800-37.\n   \xe2\x80\xa2 Improve existing procedures to ensure security authorization packages are updated every\n     3 years or when a significant change occurs or develop a risk-based approach for\n     implementing a continuous monitoring strategy as required by NIST SP 800-37.\n   \xe2\x80\xa2 Improve existing procedures to ensure Systems Security Plans and Systems Assessment\n     Reports are updated as required to comply with the security baseline controls contained\n     in NIST SP 800-53 (Revision 3).\n   \xe2\x80\xa2 Perform annual security assessments of a subset of a system\'s security controls as\n     required by NIST SP 800-37.\n\n       Department Response to Recommendation 3:\n\n            With regard to bullet 2, we note that FISMA FY2011 reporting instructions explicitly\n            removed any such requirement. We quote:\n\n           Is a security reauthorization still required every 3 years or when an information\n           system has undergone significant change as stated in OMB Circular A-130? No.\n           Rather than enforcing a static, three-year reauthorization process, agencies are expected\n           to conduct ongoing authorizations of information systems through the implementation of\n           continuous monitoring programs. [1] (emphasis in original)\n\n            Based on this instruction, the Department does not agree with the recommendation in\n            bullet l.\n\n            With regard to bullet 3, the new NIST SP 800-53 guidance was not fully implemented[2]\n            until June 2010, and thus compliance was not required for C&As starting before June\n            2011. All Department C&As commencing after June 2011 will comply with the new\n            version ofNIST 800-53/53A. The Department\'s C&A Toolkit has been fully updated to\n            implement this change. Applying a risk-based approach, the Department does not judge\n            it necessary to retroactively adjust prior C&As to meet this new standard. [3]\n\n            With regard to bullet 4, the Department performs such annual testing on all its systems,\n            except in rare cases that are vigorously pursued.\n\nRecommendation 4: {Section B} We recommend that the Chief Information Officer expedite\nthe Information Resource Management, Operations, Enterprise Network Management and\nDiplomatic Security, Security Infrastructure, Office of Computer Security process to finalize and\nimplement the elements within the Cyber Security Architecture draft target architecture and\n\n[1]   OMB M-1l-33, FAQ 28.\n[2]   A new NIST 800-53A was needed to implement the new 800-53, and was not published until June 2010.\n[3]   Authority is OMB M-1l-33, FAQ 15.\n\n\n\n\n                                                       65\n\t\n                                           UNCLASSIFIED\n\n\x0c                                           UNCLASSIFIED\n\n\n\n\n\n                                               UNCLASSIFIED\n                                                    5\n\ninitiative for end-to-end configuration management and take immediate action to correct or\nmitigate the high risk vulnerabilities identified by the vulnerability scanning as required by the\nForeign Affairs Manual and Diplomatic Security System Configuration Policy and Procedures.\n\n       Department Response to Recommendation 4:\n\n           The Department notes this recommendation is based on three findings:\n              \xe2\x80\xa2 Some "critical" patches were not installed.\n              \xe2\x80\xa2 iPost failed to report 100% of required configuration settings.\n              \xe2\x80\xa2 Less than 100% of all vulnerabilities are mitigated.\n\n           In general, the OIG is using a criterion focused upon completeness, and overlooking\n           timeliness. This is a "compliance-based" approach not consistent with FY20ll FISMA\n           reporting instructions that require both the Department and OIG to assess risk and make\n           judgments of how to best achieve security.\n\n           More specifically, the OIG asserts the Department is not checking 100% of configuration\n           settings within the "required" three-year timeframe. Utilizing a risk-based approach, the\n           Department is applying the analysis conducted by MIT Lincoln Labs examining the\n           tradeoff between completeness and timeliness of testing. This study shows the following\n           two conditions have approximately equal risk: 11\n\n                      100% completeness every year ~ 17% completeness every two months\n\n           Because the Department checks nearly 90% of configuration settings every three days,\n           the Department\'s risk is significantly lower than the traditional C&A requirement (100%\n           completeness every three years). In this case, evidence shows timeliness trumps\n           completeness in lowering risk.\n\n           The Department examined each of the three OIG findings and determined the findings do\n           not reflect a material increase of risk for reasons documented elsewhere. 12 The\n           Department will continue to assess risk in these areas, and if a material risk to the\n           security of the Department is found, the Department will take appropriate steps.\n\nRecommendation 5: {Section C} We recommend that the Chief Information Officer and the\nBureau of Diplomatic Security ensure, for significant security responsibility (SSR) training, that\npersonnel designated as having SSR responsibilities receive the appropriate training in\naccordance with the Information Assurance Training Plan.\n\n\n\n\n11   Given other assumptions applicable to the Department.\n12   Available for auditor inspection.\n\n\n\n\n                                                       66\n\t\n                                           UNCLASSIFIED\n\n\x0c                                            UNCLASSIFIED\n\n\n\n\n\n                                                 UNCLASSIFIED\n                                                            6\n\n     Department Response to Recommendation 5:\n\n         The Department agrees with this recommendation because the condition of not tracking\n         (individually) those who need role-based training creates undue risk for the Department.\n         The Department will develop a method of tracking of who needs and who has received\n         role-based training; comparable to what is available for awareness training (including risk\n         scoring in iPost).\n\nRecommendation 6: {Section C} We recommend that the Chief Information Officer\nimplement, for Security Awareness Training, automated methods to replace the current manual\nprocess to track and enforce the Department of State security awareness policy and to suspend a\nuser\'s access to the network if the user has not taken the Cyber Security Awareness course\nwithin the required timeframe in accordance with the Information Assurance Training Plan.\n\n     Department Response to Recommendation 6:\n\n         The Department has conducted a preliminary study of compliance with annual\n         completion of the PS-800 training course. These preliminary findings show nearly 100%\n         of those who require training receive training within 30 days of the due date. The\n         Department does not consider this level of non-compliance to be a material risk to the\n         security of the Department.\n\n         This is especially true, considering there are several other sources of awareness training\n         including the daily awareness program at login, as well as weekly and quarterly sources.\n\n         The OIG proposal to automatically suspend account access (without human intervention)\n         has a high risk of creating serious denial-of-service issues and as such, itself poses risks\n         to the security of the Department.\n\n         The Department will conduct a complete assessment of compliance in this area and take\n         appropriate action if a material level of non-compliance is indicated.\n\nRecommendation 7: {Section D} We recommend that the Chief Information Officer:\n   \xe2\x80\xa2 Implement a Plan of Action and Milestones (POA&M) tracking process for all ClassNet\n     security weaknesses as required by Committee on National Security Systems Policy\n     Number 22, Information Assurance Risk Management Policy for National Security\n     Systems. 13\n   \xe2\x80\xa2 Distribute the quarterly POA&M Grade Memorandums to the bureaus\' and offices\'\n     senior management (executive director) as required by M-04-25, FY 2004 Reporting\n     Instructions for the Federal Information Security Management Act.\n\n13   With regard to POA&Ms this source states "Require a formal Enterprise-level Plan of Actions and Milestones\n(POA&M) containing: (i) systemic information system and organizational security weaknesses and deficiencies; (ii)\nrisks relating to the identified weaknesses and deficiencies requiring further mitigation; and (iii) specific actions to\nmitigate identified   risks." The Department believes that our POA&M process for ClassNet meets these\nrequirements in all material regards.\n\n\n\n\n                                                          67\n\t\n                                            UNCLASSIFIED\n\n\x0c                                           UNCLASSIFIED\n\n\n\n\n\n                                               UNCLASSIFIED\n                                                    7\n\n       \xe2\x80\xa2   Ensure that the POA&M completion dates and the required resources for OpenNet\n           corrective actions are updated as required by OMB Memorandum M-04-2S.\n\n       Department Response to Recommendation 7:\n\n           The Department has examined the detailed findings supporting the summary statements\n           in this draft document. The Department concludes that the problems identified are not\n           material (or are now being addressed) for the following reasons:\n               \xe2\x80\xa2 The Department has a compliant process for tracking POA&M items on ClassNet.\n               \xe2\x80\xa2 The Department has started distributing quarterly grades (effective QI-FY2012)\n                   to executive officers, as recommended.\n               \xe2\x80\xa2 Quarterly updates to POA&M data are not warranted, unless there has been a\n                    change of status. The grading covered under the prior bullet addresses this issue.\n\n           The Department notes the iPost system performs many of the functions of a POA&M\n           system at a level of timeliness and detail that the traditional POA&M approach cannot\n           achieve. Given the MIT Lincoln Labs findings on the trade-off between completeness\n           and timeliness discussed previously, the Department concludes that deficiencies in the\n           traditional POA&M system are not a material risk to the security of the Department,\n           given iPost as a compensating control. 14\n\nRecommendation 8: {Section E} We recommend that the Chief Information Officer (CIO)\ndevelop and implement Department of State processes and procedures to resolve weaknesses in\nuser accounts to ensure that unnecessary network user accounts are promptly removed by the\nbureaus and posts. Further, the CIO should develop and implement procedures to ensure that\nbureaus and organizational unit administrators annually review and recertify access privileges of\nusers so that the number of guest, test, and temporary accounts are managed effectively as\nrequired by the Foreign Affairs Manual 12 FAM 622 and 12 FAM 629.\n\n       Department Response to Recommendation 8:\n\n           The Department notes that operational considerations require some accounts to be set\n           "not to expire" and such accounts are scored and noted in iPost. The Department\n           considers this process appropriate.\n\n           The Department conducted a preliminary investigation of the accounts identified as\n           deficient by the OIG using a random sample of accounts in each of the remaining\n           categories found. The Department\'s study concluded the OIG had overestimated the\n           level of deficiency by 380% on ClassNet and by 1,100% on OpenNet. The Department\n           cannot find a single incident in FY2011 where one of these accounts was compromised.\n           In part, this is because of compensating controls: for example, unauthorized access via\n           guessing of passwords is significantly mitigated by automatically locking accounts after\n           three bad passwords are offered.\n\n\n\n14   Authority to make this judgment is provided by OMB M-1l-33, FAQ 15.\n\n\n\n\n                                                       68\n\t\n                                           UNCLASSIFIED\n\n\x0c                                     UNCLASSIFIED\n\n\n\n\n\n                                         UNCLASSIFIED\n                                              8\n\n       The Department agrees there is a potential risk with these types of accounts. In\n       December 20 II, the Department will commence scoring stale accounts in iPost. The\n       Department will also conduct a more complete assessment of this problem and determine\n       what prioritized mitigation actions are justified by the current level of risk.\n\n\nRecommendation 9: {Section F} We recommend that the ChiefInformation Officer (CIO)\nensure compliance with the account management process to make certain that user and\nadministrator accounts are created, modified, and deleted in a manner consistent with\nDepartment of State policy. Further, the CIO needs to compare the terminated user listings\nprovided by bureau and post personnel officers with information contained in the active directory\non a quarterly basis to ensure that accounts for separated employees are removed timely as\nrequired by NIST SP 800-53, Revision 3, August 2009, Recommended Security Controls for\nFederal Information Systems and Organizations and the Foreign Affairs Manual (12 FAM\n62l.3).\n\n   Department Response to Recommendation 9:\n\n       The deactivation of accounts recommendation is related to Financial Audit findings under\n       the title "Untimely Removal ofInactive or Separated Employees\' User Accounts". The\n       management response to the related financial audit findings address the deactivation of\n       account issues raised above.\n\n       The Department will investigate the other findings within six months to determine their\n       scope and materiality to the security of the Department. This review will use reliable\n       statistical methods, ensuring results may be projected to the population of all accounts\n       from the review. Based upon this review, the Department will determine a risk-based and\n       cost-effective solution to any issues identified. This solution may range from accepting\n       the risk, to further corrective action.\n\n\nRecommendation 10: {Section G} We recommend that the Information Security Steering\nCommittee develop, document, and implement an enterprise-wide continuous monitoring\nstrategy that addresses framing risk, assessing risk, responding to risk, and monitoring risk, as\nrequired by NIST SP 800-39, "Managing Information Security Risk."\n\n   Department Response to Recommendation 10:\n\n       The Department agrees some increased level of documentation, as called for in\n       recommendation 2, would be valuable.\n\nRecommendation 11: {Section G} We recommend that the Chief Information Officer in\naccordance with the requirements in NIST SP 800-39, "Managing Information Security Risk":\n   \xe2\x80\xa2 Implement a continuous monitoring strategy at the enterprise-wide level.\n   \xe2\x80\xa2 Obtain and use scanning software to enable effective scans of non-Windows operating\n       systems, databases, firewalls, routers, and switches.\n\n\n\n\n                                                69\n\t\n                                     UNCLASSIFIED\n\n\x0c                                    UNCLASSIFIED\n\n\n\n\n\n                                       UNCLASSIFIED\n                                                9\n\n   \xe2\x80\xa2   Develop operating procedures to ensure the results are included in the Risk Scoring\n       Program dashboard.\n   \xe2\x80\xa2   Develop procedures to ensure that System Security Owners update the system security\n       plans to include a continuous monitoring strategy to detail how system security controls\n       are to be monitored.\n\n   Department Response to Recommendation 11:\n\n       Regarding bullet 1, the Department notes that implementation of an effective continuous\n       monitoring strategy will require continuous improvement and thus never be completed.\n       The Department\'s current continuous monitoring implementation is being copied as a\n       model by both other government agencies and the private sector.\n\n       Regarding bullet 2, the Department is already engaged in these efforts and will pursue\n       them with an appropriate level of priority. Test scans of routers and switches show that if\n       the height of the Washington Monument represented the total risk in place in the summer\n       of2008, the risk of "uncovered" routers and switches would be less than 0.34 inches\n       high. The Department will continue to prioritize such risks and expand the coverage of\n       the risk scoring program.\n\n       Regarding bullet 3, the Department will continue to expand coverage of risk in iPost in\n       line with the priorities established under bullet 2.\n\n       Regarding bullet 4, the Department notes that the continuous monitoring strategy is an\n       enterprise level strategy. Thus, the continuous monitoring strategy does not need to be\n       addressed in detail in every system security plan.\n\nRecommendation 12: {Section H} We recommend that the Chief Information Officer, in\naccordance with NIST SP 800-34, Revision 1, "Contingency Planning Guide for Federal\nInformation Systems" take the following actions:\n    \xe2\x80\xa2 Update the Continuity of Operations Communication Plan annually or when changes\n       occur to the organization, network hardware, systems, and applications and, if necessary,\n       after Continuity Testing.\n    \xe2\x80\xa2 Perform an entity-wide Business Impact Analysis and develop a strategy to prioritize\n       recovery of the critical assets within the Department of State.\n    \xe2\x80\xa2 Update the section of the Foreign Affairs Manual that contains guidance and direction for\n       development and implementation of Continuity of Operations Communication Plan.\n\n\n\n\n   Department Response to Recommendation 12:\n\n       The Department will:\n\n\n\n\n                                              70\n\t\n                                    UNCLASSIFIED\n\n\x0c                                   UNCLASSIFIED\n\n\n\n\n\n                                       UNCLASSIFIED\n                                            10\n\n           \xe2\x80\xa2   Develop a master table of contents for the OpenN et security documentation across\n               sub-systems so that the OIG can find the COOP plans and updates in ON\n               subsections.\n           \xe2\x80\xa2   Develop criteria to determine when COOP plans have been adequately addressed\n               in these documents.\n           \xe2\x80\xa2   Verify that significant changes to COOP plans are in compliance with the\n               applicable criteria.\n\nRecommendation 13: {Section H} We recommend that the Bureau of Administration, Office\nof Emergency Management, in coordination with the ChiefInformation Officer, align the\nBusiness Impact Analysis of the Primary Mission Essential Functions with the Bureau of\nInformation Resource Management\'s Maximum Tolerable Downtime for the network in\naccordance with NIST SP 800-34, Revision 1, "Contingency Planning Guide for Federal\nInformation Systems."\n\n   Department Response to Recommendation 13:\n\n       The Department considers the documents already aligned and will:\n          \xe2\x80\xa2 Develop criteria to determine when the BIA and State GSS downtime are\n             adequately coordinated.\n          \xe2\x80\xa2 Verify that these criteria are met.\n\nRecommendation 14: {Section I} As required by National Institute of Standards and\nTechnology (NIST) Special Publications (SP) 800-34, Revision 1, Contingency Planning Guide\nfor Federal Information Systems, and SP 800-53, Revision 3, Recommended Security Controls\nfor Federal Information Systems and Organizations, we recommend that the Bureau of\nInformation Resource Management, Office ofInformation Assurance, in coordination with the\nbureaus and system owners, take the following actions:\n    \xe2\x80\xa2 Document and maintain alternate site locations and procedures for accessing an alternate\n       site.\n    \xe2\x80\xa2 Develop and maintain contingency plans for all major applications and general support\n       systems.\n    \xe2\x80\xa2 Maintain and update recovery and restoration procedures for all applications and general\n       support systems.\n\n   Department Response to Recommendation 14:\n\n       The Department will document compliance and/or non-compliance to the OIG findings\n       and take the necessary corrective action.\n\nRecommendation 15: {Section I} As required by National Institute of Standards and\nTechnology (NIST) Special Publications (SP) 800-34, Revision I, Contingency Planning Guide\nfor Federal Information Systems and SP 800-53, Revision 3, Recommended Security Controls for\nFederal Information Systems and Organizations, we recommend that the Chief Information\nOfficer:\n\n\n\n\n                                              71\n\t\n                                   UNCLASSIFIED\n\n\x0c                                    UNCLASSIFIED\n\n\n\n\n\n                                        UNCLASSIFIED\n                                             11\n\n    \xe2\x80\xa2   Revise the Infonnation Resource Management/Infonnation Assurance Contingency Plan\n        Test Review checklist to address the following items:\n             o Recovery and damage assessment procedures\n             o Alternate recovery site details\n             o Back-up procedures\n             o Back-up test results for moderate- and high impact systems\n    \xe2\x80\xa2   Revise the Contingency Plan Policy to include an organization-defined frequency for\n        backup testing.\n    \xe2\x80\xa2   Revise the Foreign Affairs Manual to require system owners to report to IRM/IA on the\n        test results and updates to the contingency plans.\n\n    Department Response to Recommendation 15:\n\n        The Department will document compliance and/or non-compliance to the OIG findings\n        and take the necessary corrective action.\n\nRecommendation 16: {Section J} We recommend that the ChiefInfonnation Officer in\naccordance with the Foreign Affairs Manual (5 FAM 1065.3) and the National Institute of\nStandards and Technology Special Publication 800-47, "Security Guide for Interconnecting\nInformation Technology Systems," take the following actions:\n    \xe2\x80\xa2 Ensure that the contractor oversight program complies with Office of Management and\n       Budget, Federal Infonnation Security Management Act, National Institute of Standards\n       and Technology, and the Foreign Affairs Manual security policies, standards, and\n       requirements for managing Contractor Owned Contractor Operated (COCO) systems;\n       specifically, all security-related documentation for such systems should be retained.\n    \xe2\x80\xa2 Implement a COCO system security program whereby COCOs are overseen by the\n       Bureau of Infonnation Resource Management/Infonnation Assurance.\n\n    Department Response to Recommendation 16:\n\n        Regarding bullet 1, the Department will document compliance and/or non-compliance to\n        the OIG findings and take the necessary corrective action.\n\n        Regarding bullet 2, the Department does not agree that these assignments require change\n        and thus does not agree with the recommendation.\n\nRecommendation 17: {Section J} We recommend that the Bureau of Diplomatic Security\ndevelop and implement new and enhanced security requirements to coordinate security activities\nfor tracking all extensions (that is, contractor sites, other Government agencies, and third-party\nvendors) to OpenNet and ClassNet as required by the Office of Management and Budget\nMemorandum M-II-33, FY 2011 Reporting Instructions for the Federal Information Security\nManagement Act and Agency Privacy Management.\n\n\n    Department Response to Recommendation 17:\n\n\n\n\n                                               72\n\t\n                                    UNCLASSIFIED\n\n\x0c                                    UNCLASSIFIED\n\n\n\n\n\n                                       UNCLASSIFIED\n                                            12\n\n       The Department will verify that all Department of State computers at other Federal\n       agencies are clearly documented. (We found no defects with regard to the process for\n       contractor sites.)\n\nRecommendation 18: {Section J} We recommend that the Bureau of Diplomatic Security, in\ncoordination with the Bureau of Administration, establish procedures to identify the total number\nof contractors who have access to Department of State systems as required by the Office of\nManagement and Budget Memorandum M-11-33, FY 2011Reporting Instructionsfor the\nFederal Information Security Management Act and Agency Privacy Management.\n\n   Department Response to Recommendation 18:\n\n       The Department does not agree with this recommendation because a) knowing the exact\n       total number of contractors (a continuously changing number) does not have an impact\n       upon the security of the Department, and b) it is not required by M-1l-33.\n\nRecommendation 19: {Section K} We recommend that the Chief Information Officer, as\nrequired by Office of Management and Budget (OM B) Memorandum M-11-33, FY 2011\nReporting Instructions for the Federal Information Security Management Act and Agency\nPrivacy Management and OMB Circular No. A-II, Preparation, Submission, and Execution of\nthe Budget:\n\n   \xe2\x80\xa2   Ensure that the Bureau of Information Resource Management/ Business Management and\n       Planning track all obligations and expenditures for information technology security\n       investments.\n   \xe2\x80\xa2   Provide a summary of non-maj or investments that make up the information technology\xc2\xad\n       infrastructure and other major investments.\n   \xe2\x80\xa2   Include the Unique Project Identifier in the Department of State\'s Plans of Action and\n       Milestones database.\n\n   Department Response to Recommendation 19:\n\n       The Department agrees with the recommendation, but not the authorities cited and will:\n           \xe2\x80\xa2   Track and include a summary report for all obligations and expenditures for all IT\n               projects with a) a material level offunding, or b) significant security risk.\n           \xe2\x80\xa2   Include UP Is in the Department\'s POA&M for each system.\n\n\n\n\n                                              73\n\t\n                                    UNCLASSIFIED\n\n\x0cFRAUD, WASTE, ABUSE, OR MISMANAGEMENT\n                 of Federal programs\n\t\n            and resources hurts everyone. \n\n\n\n\n         Call the Office of Inspector General\n\t\n                      HOTLINE\n\n                     202/647-3320 \n\n                  or 1-800-409-9926\n\n        to report illegal or wasteful activities.\n\t\n\n\n               You may also write to\n\t\n             Office of Inspector General\n\t\n              U.S. Department of State\n\t\n               Post Office Box 9778 \n\n                Arlington, VA 22219\n\t\n\n       Please visit our Web site at oig.state.gov\n\t\n\n           Cables to the Inspector General\n\t\n          should be slugged \xe2\x80\x9cOIG Channel\xe2\x80\x9d\n\t\n              to ensure confidentiality.\n\t\n\x0cUNCLASSIFIED\n\n\n\n\n\nUNCLASSIFIED\n\n\x0c'